What is Cross Site Scripting (XSS)?

Summary : Cross-site scripting (XSS) is a server-computer security vulnerability. It is usually found in web applications ran on dedicated or cloud servers. XSS, as it is the short name, enables web attackers to inject small client-side script in the web pages. Those web pages are usually public. Sometimes, if the pages are password protected, they can be brute force and the passwords protection to be bypassed. A cross site XSS script vulnerability can be used by online attackers to bypass access controls such as the same origin policies. Cross-site scripting carried out on websites are a major thread in recent years and all websites are vulnerable. Unless protected well!

An attacker can use XSS to send a malicious script to unprotected online form. The client’s browser has no way to understand that the malicious script can’t be trusted and will execute the script. It seems that script is trusted, the malicious script can access cookies, session tokens, or other sensitive information stored in the browser and related to the site. These malicious scripts can even rewrite and totally change the content of the HTML pages.

Impact can be: An Adversary can carry out XSS attack and also can take the cookie of the Admin and login through Admin Account.
Also, an adversary can manage to login through any other user’s account with valid session cookies.

Recommendations:
Sanitize all the user inputs before executing them, also add XSS protection headers on server and client side.

References :

https://hackerone.com/reports/840759/
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet