General Information

Cross Site Scripting

Variants:
Direct Persistent Multiphase Session 

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Web Application

Affected Mechanisms:
Input Validation, Output Encoding, Syntax Escaping

Invented In:
31/08/2001

Added In:
17/03/2015

Quick Introduction to the Topic:


Vector Operation Method:
Application features that insecurely embed user-controlled content in the HTML output can be abused by attackers to present attacker-controlled scripts to legitimate application users, thus, allowing the attackers to bypass the browser same origin policy, in order to steal users credentials, cookies and sensitive information, as well as perform operations on behalf of the attacked users without their consent or knowledge. JSON variations are sometimes called JSON Injection.


Direct Variant:

Reflected XSS

Also Known As:
Reflected Cross Site Scripting, RXSS

Typical Severity:
Major

Learn More:




Persistent Variant:

Stored XSS

Also Known As:
Persistent Cross Site Scripting, PXSS

Typical Severity:
Critical

Learn More:




Multiphase Variant:

Multiphase XSS

Also Known As:
Indirect Cross Site Scripting

Typical Severity:
Major

Resources:

White Papers:

Learn More:


Session Variant:

XSS via Session Puzzling

Also Known As:
Session Cross Site Scripting

Typical Severity:
Major

Resources:

White Papers:

Learn More: