XSS:- It doesn't need an authenticated session and can be exploited when the vulnerable website doesn't do the basic validation or escaping input. Invulnerable website attacker sends text-based attack script that effects the application. Attacker XSS attack starts with simple HTML tag in the of a regular expression.

                                   The attacker injects the value in URL or Textbox. They run our script on the vulnerable website. The website reflects the error message through pop up.

Three type of XSS

Stored XSS Attack:- In the attacker inject the script and script stored permanently on the target server.

Reflected XSS Attack:- In this attacker inject the script and website thrown the error message.

DOM XSS Attack:- It generally involved in server site controller, script sent to the client but not sanitize. The source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write)."

Types of Cross-Site Scripting

· Server XSS

· Client XSS

Server XSS

Server XSS occurs when untrusted data is supply in form of HTML data response by server. It’s have both Reflected Server XSS and Stored Server XSS. Vulnerability is in server-side code, and the browser is simply rendering the response and executing any valid script embedded in it.

Client XSS

Client XSS occurs when untrusted user supplied unsafe JavaScript. An unsafe JavaScript can be used to introduce valid JavaScript into the DOM. The source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load). The ultimate source of the data could have been from a request, or from a stored location on the client or the server. It have both Reflected Client XSS and Stored Client XSS.

DOM Based XSS doesn’t change. DOM Based XSS is simply a subset of Client XSS, where the source of the data is somewhere in the DOM, rather than from the Server.

Megitation:- 1. Understand all the potential areas where untrusted input inject

2. Specify character encoding like UFT-8

3. Input validation. Transform hazardous character into a character