10 Oct 2022
What is XSS?
→ web security vulnerability
→ usually allows an attacker to masquerade as a victim user
How does XSS work?
- manipulate website to return malicious JavaScript to users
- it’s common practice to use the
alert() function for this purpose because it's short, harmless, and pretty hard to miss when it's successfully called
- you solve the majority of our XSS labs by invoking
alert()
in a simulated victim's browser
How to prevent XSS attacks
- filter input on arrival
- encode user-controlled data on output to prevent it from being interpreted as active content
- use appropriate response headers:
- for responses that aren’t intended to contain HTML or JS use
Content-Type
and X-Content-Type-Options to define content