Injection of HTML code and/or client side scripts like JavaScript, VBScript, and Jscript by malicious web users into the web pages viewed by other users is a computer security vulnerability typically found in web applications. This is popularly known as
Cross Site Scripting (XSS) Attack.
Injection of the code can be done either from a web form or through a query string input. To check whether your web application is open to XSS, insert the following code given below in the Input Textbox and/or TextArea of the web form (In case of Query String, replace the value with the code given below).
<Script> alert(‘XSS attack is possible’); </script>
Submit the web form or the page. Check the display or view page of the application. If you get an alert message “XSS attack is possible”, then your application is unsafe and is open for XSS attack.
Now, you would have the question in your mind as
how do I avoid XSS attack on the web application? Well you can apply the following checklist in your web application code:
- Apply HTMLEncode in the action page/code in all web forms
- Apply URLEncode in the action page/code in your web application
- User proper validations for numeric, date and length of the data
- Always validate data against data type
- Avoid special characters like *, %, @, !