Cross-site scripting is the perfect gateway to vulnerabilities-galore. Essentially, XSS is a weakness in a website that allows an attacker easy access to malicious intent.
For victims that visit a website under the influence of an XSS attack, they can unknowingly execute a code.
“Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”
This can result in a malware attack, the compromising of sensitive information, or even full access to your system in order to perform future attacks.
Due to XSS running as a code on the client’s end of the spectrum, it has access to anything that JavaScript has access to. This includes cookies and browser history.
Unfortunately, those are also the least of your problems when XSS vulnerabilities are found.
“One of the real concerns about XSS is that by downloading script on a client-side computer, that endpoint can become enslaved into a botnet, or group of computers that have been infected with malware in order to allow a third party to control them, and used to participate in denial of service attacks. Users might not even be aware that they are part of an attack.”
When it comes to XSS vulnerability prevention, the process and security measures are fairly straight forward. You need to make sure you’re boarding up any exploits and reviewing all of your website’s coding regularly for bugs/holes.
Also consider disabling comments with links, while keeping a close eye on website traffic for signs of strange behavior.