A Vulnerability that allows injection of javascript from third parties on a webpage.
Non-Persistent/Reflective XSS
Non-persistent because it exploits sessions
- Website allows scripts to be ran in user input
- Attacker emails a modified link to a user
Example:
A site has a user input field that returns a paragraph tag with the input inside it. If a user inputs javascript. it can be arbitrarily ran.
Persistent/Stored XSS
- Attacker posts payload that is stored on the webserver
- Everybody who visits that website also gets the payload
Solutions
- Disabling all javascript. May be unpleasant as most webpages require javascript to function