Quick peep into Common Vulnerabilities
- Reflected XSS: Malicious script code simply entered by the hacker or attacker (as an example, as a search query) is recognized by the server. The code then gets inserted into the HTML on the pertinent page and served back to the specific browser, where it is actually executed.
- Stored XSS: The server takes up the user input that encompass malicious code as well as saves it. For example, the attacker might put code in a profile of the user description that gets stored in a specific forum database. When another user later lots such a profile page, the malicious script gets performed or simply executed.
- DOM-based XSS: Attacker-controlled the overall inputs processed completely in the user’s browser get used to adapt the current page and then insert malicious code with the use of Document Object Model (DOM) type of manipulation. Since everything takes place on the client side, there is hardly any malicious code in either the original HTML page or that of the server response.
The risk or danger of XSS exists once your application handles any sort of user input. As with so many different types of vulnerabilities, proper input validation with overall context-sensitive data encoding is always the finest starting point for restricting an attacker’s options. You should note that input filtering alone is not sufficient to avert XSS and must only be used as portion of a properly defines-in-depth.