Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.
It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.
Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data.
If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.
How can we prevent XSS Vulnerability?
First
In case of ‘Stored cross-site scripting’, Server should check all of inputs from clients.
HTTPS should also be used for end-to-end security. Currently ‘certbot’ provides way to certificate your website totally FREE. If you use nginx especially, certbot automatically will manage your sites’ SSL/HTTPS.
Second
In case of ‘Reflected cross-site scripting’, Like in case of stored thing, Should be aware of inputs.
Basically these two things are same as perspective which vulnerability is occurred when server is not caring of security.
Third
In case of ‘DOM based cross-site scripting’, This case is subset of client xss (where the data source is from the client only)
Whatever kind, Server should check every inputs from clients.
