Cross-Site Scripting

Fleeting

• Référence externe : https://en.wikipedia.org/wiki/Cross-site_scripting
• Référence externe : https://fr.wikipedia.org/wiki/Cross-site_scripting

XSS stands for Cross Site Scripting

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

Cross site scripting is the method where the attacker injects malicious script into trusted website.

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

Stored XSS - Vulnerability coming from unprotected and not sanitized user inputs those are directly stored in database and displayed to other users

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

Reflected XSS - Vulnerability coming from unprotected and not sanitized values from URLs those are directly used in web pages

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

DOM based XSS - Similar as reflected XSS, unprotected and not sanitized values from URLs used directly in web pages, with difference that DOM based XSS doesn’t even go to server side

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007.[1] XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner network

— https://en.wikipedia.org/wiki/Cross-site_scripting

d’injecter du contenu dans une page, provoquant ainsi des actions sur les navigateurs web visitant la page

— https://fr.wikipedia.org/wiki/Cross-site_scripting

DOM-based cross-site scripting

• Référence externe : https://web.dev/trusted-types/#how-to-use-trusted-types

DOM-based cross-site scripting happens when data from a user controlled source (like user name, or redirect URL taken from the URL fragment) reaches a sink, which is a function like eval() or a property setter like .innerHTML, that can execute arbitrary JavaScript code.

— https://web.dev/trusted-types/#how-to-use-trusted-types

Notes pointant ici

• a cookie to deal with session create fewer attack surface
• backend for frontend
• cross-site request forgery
• cross-site request forgery
• embedded password in each client
• httponly cookie
• it discourage to run a full web client
• ory Cookie-based security model
• refresh token rotation
• using a service worker (web worker) instead

Permalink