Cross-Site Scripting (XSS) attacks are probably the most widely spread type
of attacks on web applications and happen when malicious scripts are
injected into websites to target end users.
The goal of an XSS attack is to make some browser script execute in the
victim’s browser on infected sites and to steal sensitive information such as a
session cookie from an authenticated user and then send it back to the
attacker’s server. The attacker can then gain access to the victim’s account
on that specific website by using this session cookie. Such an attack can be
done without the victim’s knowledge.
This kind of attack has been performed on well-known services such as
WhatsApp, where the attacker was able to completely hi-jack some victim’s
WhatsApp account and being able to control that victim’s account.
Websites and web applications are vulnerable to XSS attacks typically when
user inputs are not filtered correctly.
FortKnoxster implements several security measures to make sure our users
are protected against any kind of XSS attacks, by making sure user inputs
such as an inbox or chat message are escaped and sanitized before
displaying it, in the receiver’s browser. Furthermore, our web application and
server configurations have been optimized to set the HTTPOnly cookie flag,
X-XSS-Protection, and Content-Security-Policy response headers.
Our research in Content Security Policy (CSP) has resulted in a very strict CSP
configuration, by not allowing any kind of external sources to be loaded
inside the FortKnoxster environment. You can read more about it here
There are different kinds of XSS attacks and many different kinds of XSS vulnerabilities. More information about Cross-Site Scripting:
Please also join our Telegram group and visit our Facebook page and Twitter page for more inspiration.