Cross-Site Scripting (XSS) attacks are probably the most widely spread type of attacks on web applications and happen when malicious scripts are injected into websites to target end users.
The goal of an XSS attack is to make some browser script execute in the victim’s browser on infected sites and to steal sensitive information such as a session cookie from an authenticated user and then send it back to the attacker’s server. The attacker can then gain access to the victim’s account on that specific website by using this session cookie. Such an attack can be done without the victim’s knowledge.
This kind of attack has been performed on well-known services such as WhatsApp, where the attacker was able to completely hi-jack some victim’s WhatsApp account and being able to control that victim’s account.
Websites and web applications are vulnerable to XSS attacks typically when user inputs are not filtered correctly.
FortKnoxster implements several security measures to make sure our users are protected against any kind of XSS attacks, by making sure user inputs such as an inbox or chat message are escaped and sanitized before displaying it, in the receiver’s browser. Furthermore, our web application and server configurations have been optimized to set the HTTPOnly cookie flag, X-XSS-Protection, and Content-Security-Policy response headers.
Our research in Content Security Policy (CSP) has resulted in a very strict CSP configuration, by not allowing any kind of external sources to be loaded inside the FortKnoxster environment. You can read more about it here
There are different kinds of XSS attacks and many different kinds of XSS vulnerabilities. More information about Cross-Site Scripting: