🔐 What is Cross-Site Scripting (XSS)?

• Definition: A web security vulnerability that allows attackers to inject malicious scripts (usually JavaScript) into web pages viewed by other users.
• Abbreviation: “XSS” is used instead of “CSS” to avoid confusion with Cascading Style Sheets.

🌐 How XSS Works

• Exploits browser trust in content coming from trusted websites.
• Allows attackers to:
  • Steal cookies and session tokens.
  • Impersonate users.
  • Deface websites.
  • Redirect users to malicious sites.

🧪 Example Attack Flow

1. Attacker sends a malicious link to the victim (via email, text, etc.).
2. Victim clicks the link and visits a trusted site.
3. The script runs in the victim’s browser without their knowledge.
4. Private data (e.g., session ID, cookies) is sent to the attacker silently.

🧩 Types of XSS Attacks

1. Non-Persistent (Reflected) XSS

• Triggered by user interaction, such as clicking a link.
• Malicious script is not stored on the website.
• Common in search fields, login forms, or error messages.
• Example:
  • A search form accepts and reflects JavaScript back to the user.
  • The attacker sends a crafted URL.
  • The victim’s browser runs the script and leaks data.

2. Persistent (Stored) XSS

• Malicious script is stored on the web server (e.g., in a database).
• Executed every time users access the infected page.
• Common in forums, comment sections, and social media.
• Attack spreads:
  • Others visiting the infected page execute the script.
  • The script may auto-post itself, leading to widespread infection.

🧾 Real-World Case: Subaru Vulnerability (2017)

• Discovered by security researcher Aaron Guzman.
• Subaru’s web portal:
  • Issued tokens that never expired.
  • Tokens allowed full control over vehicle services.
  • Vulnerability allowed XSS injection to steal tokens.
  • Attackers could gain permanent access to victim accounts and vehicles.
• Subaru patched the issue after responsible disclosure.

🛡️ XSS Prevention & Protection

For Users:

• Don’t click untrusted links in emails or messages.
• Use browser extensions to restrict JavaScript.
• Always keep browsers and apps updated to patch known vulnerabilities.

For Developers:

• Validate and sanitize all user inputs.
• Implement Content Security Policy (CSP).
• Escape output based on context (HTML, JavaScript, URLs).
• Use secure frameworks and libraries that automatically handle sanitization.