What is cross-site scripting?
Cross-site scripting is a type of attack where the attacker injects code (basically, things such as client-side scripting, which in our case is JavaScript) into the remote server.
If you remember, we did something similar in the previous chapter: we posted something that says alert()
, which unfortunately gets saved into our database. When our screen refreshes, the alert gets fired off. This alert()
function gets fired off whenever we hit that page.
There are basically two types of cross-site scripting: persistent and nonpersistent.
Persistent cross-site scripting
Persistent cross-site scripting happens when the code injected by the attacker gets stored in a secondary storage, such as a database. As you have already seen in Chapter 2, Secure Ajax RESTful APIs, the testing of security flaws that we performed is a form of persistent cross-site scripting, where our injected alert()
function gets stored in MongoDB.
Nonpersistent cross-site scripting
Nonpersistent cross...