Cross-site scripting (XSS) vulnerabilities allow attackers to execute scripts in the browser. The scripts might be designed to hijack a user's session, replace web site content, or redirect users. It is a highly prevalent security flaw. There are three major types of XSS attack:
- Reflected XSS
- Stored XSS
- DOM XSS
With reflected XSS, an application or API takes untrusted data and sends it to the browser without proper validation or escaping. Stored XSS is possible when an application or API stores user input data that has not been properly validated or escaped, which is viewed at a later time. DOM XSS is possible when data that is controlled by an attacker is included dynamically by a JavaScript framework, API, or other code.
Tests from the client side can ensure that there is validation to verify that all user-supplied input is safe and that all user supplied input sent back to the browser is properly escaped before it is included in the output page. The context-sensitive escaping of untrusted HTTP request data and client-side document manipulation can prevent various types of XSS attack.