Cross Site Scripting (short form XSS) in simple term is "Client Side Code Injection attack by various means such as Javascript"
Cross Site Scripting is Security Vulnerability of your Website, that means by XSS a website can be hacked and attacked by attackers. Attackers used Client side Javascript, Flash, VB Script, ActiveX etc to inject to web pages.
The Webmaster hacker can use injected java scripts to change the content of your website or may even redirect user's to different website page, for example, one that contains venomous virus code.
Hackers can steal your session cookies from your Browser cache, and can use it for attacking.
If you have not set Content Security Policy in your website, than Browser cannot detect if the script injection from other un-authenticated source are accepted by your website or not.
You need to set Content Security Policy in your website in such a way that browser know what should be done from other external sources.
X-Xss-Protection is one of the Website Security Header that need to be included when sending Header response to the browser.
We have Cross Site Scripting Check tool to find if Website uses important Security layers in Website and you can check Security metrics of your website, punch in your website name and you will get Security Grade of your website.
Cross Site Scripting can be prevented by implementing below Security Layer parameter in your website :
1) X-Xss-Protection
It Prevent XSS attacks.
2) Content-Security-Policy
It prevents Cross Site Scripting, and other code injection attacks
3) X-Content-Type-Options
It prevents from MIME sniffing vulnerabilities.
MIME types advertised in the Content-Type headers should not be changed and should be followed
4) X-Frame-Options
Avoid invlid rendering of webpages, avoid clickjacking attacks.
5) HSTS Security - Strict Transport Security Layer
It prevents Cookie Hijacking
There are three main types of XSS Website Security vulnerabilities: Persistent XSS, Reflected XSS and Document Object Model (DOM) - based XSS.
Stored (persistent) XSS is the most damaging type of cross-site scripting attack. The attacker injects a script -- also called the payload -- that is stored permanently on the target application, such as a database. For example, an attacker inserts a malicious script on a blog, in a forum post or in a comment field.
The XSS payload will be then be served as part of a webpage when the victim navigates to the affected webpage in a browser. Then, once the victim views the page in a browser, he will end up inadvertently executing the malicious script.
Reflected XSS is the most common type of cross-site scripting vulnerability. In this type of attack, the attacker has to deliver the payload to the victim. Therefore, the attacker's payload script must be part of the request sent to the web server and reflected back so the HTTP response includes the payload from the HTTP request.
The attacker uses phishing emails and other social engineering methods to lure the victim to inadvertently make a request to the server that includes the XSS payload. The victim then executes the script that gets reflected and executed inside the browser. Because reflected XSS isn't a persistent attack, the attacker must deliver the payload to each victim.
DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model env in the sufferer browser.
It is an advanced type of XSS attack and it made possible when the website application's client side script writes user provided data (from cached session cookies) to the Document Object Model.
The website then reads the data from the DOM and delivers it to the browser, client browser cannot detect and will execute the malicious code. If the data isn't handled correctly, the attacker is able to inject a payload that will be stored as part of the DOM. The payload is then executed when the data is read back from the DOM.