🎩Cross site script (XSS)

This is the way that hacker can pass the script like Javascript into our system or database.

Example

Drawing

  1. We have a database that store comments in plain text without validation input

  2. Hacker send the script as a text for input then we store it in DB

  3. After client open the website to view the comment then the script will be run.

How to Protect

  1. Input validation to protect script

  2. Encode data before render html -> Modern framework already handle it such as React it will escapes special characters by default.

  3. Add header Content Security Policy(CSP)-> to determine with kind of JS script can run

Last updated