XSS Attacks
Cross site scripting (XSS) attacks can be devious, and a bit harder to explain than most of the other attack vectors.
Stored XSS attacks can be found on some online forums where the forum software doesn't properly contain user input. A malicious user of the forum can put Javascript code directly in his post that will then execute on anyone's browser who views that page containing the post. You don't even have to scroll to that post for the code to execute.
That code might be contained in the browser, but can still steal advertising cookies and other sensitive information from your browser even though they did not create the forum or website that you are on.
Many browsers allow you to block scripts, but keep in mind this can sometimes reduce or break the functionality of a webpage.
Most large social media platforms such as Twitter have this locked down by cleaning user data. You'd be hard pressed to find a way to run Javascript on Twitter by writing a tweet. This attack vector is less common now, but be wary of this attack vector on old forums and websites.
Reflected XSS attacks can be done by sending you a malicious link by other communications. For example, you receive an email suggesting you look at a post on Facebook, but the link doesn't actually go to a post. Instead that query string could look something like: twitter.com/createpost?message=Gotcha
This is a fake example but should give you an idea on what can happen. Depending on how much the website depends on query strings, it could go as bad as sending something you didn't mean too, or resetting a password, down to not much at all. PHP and ASP websites are generally more vulnerable to this older type of programming.
Last updated