14 DAY TRIAL // XSS stands for Cross-Site Scripting and is a Web-based security vulnerability that's been around since the birth of modern Web development techniques.
XSS attacks account for 12.75% of all of today's Web-based attacks, and almost 70% of all reported vulnerabilities are XSS-related. Almost 90% of all websites have at least one XSS vulnerability.
Besides DDOS attacks and SQL injections, XSS attacks are the third most encountered form of Web attacks.
In the past, big-name websites like Twitter, Facebook, YouTube, Yahoo, MySpace, or PayPal have all been victims of such attacks.
Yahoo has been so plagued by this problem that, at one point, its engineers open sourced a set of XSS filters so other webmasters could benefit from their work as well.
Recently, even desktop-based software like Popcorn Time have become vulnerable to such problems. This is because Popcorn Time was created using Node.js, a complex platform for server-side JavaScript, instead of classic tools like C++ or C#.
XSS attacks can be of two kinds: reflected and stored.
A Reflected XSS attack occurs when hackers craft malicious URLs which Web servers execute via a single request and response loop. They are the most common and have a short lifespan, affecting one user at a time. They are also called first-order XSS, type 1 XSS, or non-persistent XSS.
A Stored XSS attack is the worst of the two, and it involves the attacker crafting a malicious script, which then gets stored on the Web server. This type of XSS attacks have a broader target, since once saved on the server in the form of a comment or database entry, they then can be displayed to all the users accessing that page without having to make them access a maliciously crafted URL. This type of attack is also called second-order XSS, type 2 XSS, or persistent XSS.
In case you need a visual aid for all of this, the infographic below can help you get a clue about what we're talking about. It was created by Jack Leonard from Barricade, an Irish company focusing on security products for small to medium businesses. We've featured his insightful infographics on our site in the past. Just check out the ones on DDOS attacks and SQL injections.
