Cross-Site Scripting (XSS)
Cross-site scripting (XSS) attacks attempt to inject JavaScript in trusted sites. Injected JavaScript
can then steal tokens from cookies and local storage. If an access token is leaked before it expires, a
malicious user could use it to access protected resources. Common XSS attacks are usually caused
by improper validation of data passed to the backend (in similar fashion to SQL injection attacks).
An example of a XSS attack could be related to the comments section of a public site. Every time
a user adds a comment, it is stored by the backend and displayed to users who load the comments
section. If the backend does not sanitize the comments, a malicious user could write a comment in
such a way that it could be interpreted by the browser as a <script> tag. So, a malicious user could
insert arbitrary JavaScript code and execute it in every user’s browser, thus, stealing credentials
stored as cookies and in local storage.
Mitigation techniques rely on proper validation of all data passed to the backend. In particular,
any data received from clients must always be sanitized. If cookies are used, it is possible to protect
them from being accessed by JavaScript by setting the HttpOnly flag. The HttpOnly flag, while useful, will not protect the cookie from CSRF attacks.