https://motherboard.vice.com/en_us/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever
https://www.veracode.com/security/xss
https://www.owasp.org/images/c/c5/Unraveling_some_Mysteries_around_DOM-based_XSS.pdf
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Content_Security_Policy
https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://www.owasp.org/index.php/ASVS
https://www.owasp.org/index.php/AntiSamy
https://www.owasp.org/index.php/Testing_for_Data_Validation
https://www.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
http://cwe.mitre.org/data/definitions/79.html
http://bit.ly/R92c8z
https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives
https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Proactive_Controls_2016
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://cwe.mitre.org/data/definitions/79.html
https://portswigger.net/kb/issues/00200308_client-side-template-injection
https://www.sans.org/reading-room/whitepapers/detection/identify-malicious-http-requests-34067
https://isi.jhu.edu/wp-content/uploads/2020/04/HICSS19-XSS-Analysis-hicss-draft-9-22-2018-V3.pdf
http://sci.tamucc.edu/~cams/projects/507.pdf
What are the approaches to carry out an XSS attack?
<script>alert(1)</script>
alert(1)
</script>Some embarrassing message
The attackers typically exploit by specifying the value for a URL or form parameter with @script>alert(1)</script@. If the value for this parameter is blindly displayed onto the page, the JavaScript code is executed.
With the @script@ tag, is dangerous when it is displayed along the rest of the HTML code of the page. Another approach does not involve the use of the @script@ tag, but just putting alert(1) alone as the value for the URL or form parameter. If the value for this parameter is used in the application along with the rest of the application's JavaScript code, then the alert is executed.
The alert(1), in this case, does not do any harm, but this how most security scan tool use. The attackers typically use these scan tools or develop their own tools to identify these vulnerable places, where they can execute arbitrary javascript script code. They can make AJAX calls to send sensitive information to their servers. They can also display harmful / embarrassing messages.
How can we fix XSS vulnerability?
To fix an XSS vulnerability, do appropriate encoding. Use appropriate library, such as ESAPI. Check the OWASP web site and use the recommendated library. We may have to create a method such as encodeForHTML, and encodeForJS and use those to do appropriate encoding depending on the context of how the value for the parameter is being used.
