In the preceding chapter, I introduced you to a handful of little injection attacks. In this chapter, I continue with a big family of them known as cross-site scripting (XSS). XSS attacks come in three flavors: persistent, reflected, and DOM-based. These attacks are both common and powerful.
Note
At the time of this writing, XSS is number 7 on the OWASP Top Ten (https://owasp.org/www-project-top-ten/).
XSS resistance is an excellent example of defense in depth; one line of protection is not enough. You’ll learn how to resist XSS in this chapter by validating input, escaping output, and managing response headers.
XSS attacks come in many shapes and sizes, but they all have one thing in common: the attacker injects malicious code into the browser of another user. Malicious code can take many forms, including JavaScript, HTML, and Cascading Style Sheets (CSS). Malicious code can arrive via many vectors, including the body, URL, or header of an HTTP request.