Cross Site Scripting (XSS) used by hackers to break the security in web Application. And this Security vulnerable of web application. And this is done by passing the script into text box, Query String, Cookies, Session variable, Application Variables and retrieve data by external and share resources.Prevent Cross Site Script enable the RequestValidation page property as True.-use proper validation on user input.-always encode user input when processing them.If data coming from external sources or share sources, never display raw date always encode data before display it to user.-we can use AntiXSS library to prevent Cross Site Scripting.
it's a volunarability
This also known as XSS, is a way of bypassing the SOP concept in a vulnerable web application. Whenever HTML code is generated dynamically, and the user input is not sanitized and is reflected on the page an attacker could insert his own HTML code. The web browser will still show the user’s code since it pertains to the website where it is injected.
In such case an attacker can easily insert JavaScript code which would run under the site’s context. By doing so the attacker is able to access other pages on the same domain and can read data like CSRF-Tokens or the set cookies.
If the cookies, which typically contain session identifier information, can be read by the client-side JavaScript code, the attacker can use them on his own browser and login to the web application as the victim. If that does not work the attacker can still read private information from the pages, such as read CSRF tokens and make requests on behalf of the user.
Stored XSS − Stored XSS also known as persistent XSS occurs when user input is stored on the target server such as database/message forum/comment field etc. Then the victim is able to retrieve the stored data from the web application.
Reflected XSS − Reflected XSS also known as non-persistent XSS occurs when user input is immediately returned by a web application in an error message/search result or the input provided by the user as part of the request and without permanently storing the user provided data.
DOM Based XSS − DOM Based XSS is a form of XSS when the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.for more detail visit: https://www.acunetix.com/websitesecurity/cross-site-scripting/