Web applications attacks/Cross site scripting
An XSS attack will be considered as non persistent if it is not saved in the application (e.g. a mail containing a malicious script is sent).
As opposed to non-persistent attacks, attacks that are saved in the application (e.g. in the database, in files) are considered as persistent. Indeed, a user who connects to the application is likely to be impacted by the attack by displaying pages of the applications. An example of a persistent attack could be a message in a forum, containing an image which source is a remote malicious script.
Non persistent attacks
- Never trust data in the database. Data must be purified before being processed by the scripts.
- Never directly use data provided by the browser ($_GET, $_POST). Always purfiy these data before processing them.
- Arachni is a fast asynchronous Web Application Security Scanner that detects, among others, XSS vulnerabilities.
- XSS Me (Firefox plugin)
- Zed Attack Proxy (ZAP)