What can a hacker do with cross-site scripting?
- Access cookies stored on a computer to gain access to the victims account.
- Create fake login pages that steal login details.
- Access webcams and microphones connected to a computer.
- Bypass website security designed to protect you and your computer.
- Create a script that loops or causes other problems that cause the browser to crash.
- Help other computers perform a DDoS attack on another server.
- Give the appearance of the site being defaced.
- Help distribute spam, transfer money, or perform other actions on a user's account.
How users can reduce being a victim to cross-site scripting
- Always be cautious with links sent by e-mail and posted on social networks.
- Never click on a link reporting to be from any financial service or other sensitive websites. If your bank, credit card, or related service wants you to click on a link, open your browser and enter the web address in the address bar.
- Familiarize yourself with phishing tactics.
- When done with your online account log out.
- Keep your browser up-to-date with the latest version.
- Familiarize yourself with all of the ways to protect yourself while on the Internet.
How Webmasters can reduce the threat of cross-site scripting
- Always assume any data submitted to a script is malicious.
- Properly encode, escape, and sanitize the submitted data.
- Escape a quote (") with " and a single quote (') with ' to prevent escaping an escape.
- Only accept data that you need. For example, if a field is for a name only accept the letters A through Z and strip any numbers and other characters.
- Never place accepted data into a <!--, <script>, <style>, div attribute, or tag name attribute.
- If using cookies, use HttpOnly.
- Download and test sites using ZAP (Zed Attack Proxy).
Example of testing a form for XSS