The aim of a cross-site scripting (XSS) attack is to introduce arbitrary client-side code in an application (e.g. by storing client-side scripts in a database) in order to be included in the dynamic web content generated by the server and executed by the client.

So, the final victims of these attacks are the application’s clients, not the server.

How to perform the attack
The attacker needs to explore the application and its architecture to find any way to persist XSS inputs. Some possible entry points may be the following:
1) Web Services.
2) Web forms
3) Web parameters via GET Method (parameters passed through the url).
4) Other applications (web or desktop) sharing the same database.
5) Combine with other techniques, for example:
a. Insert queries directly into the database using SQL-Injection (see SQL-Injection test case document).
b. Removing forms validations to make the application accept XSS strings (see client-side code manipulation test case document).

How to avoid XSS Attacks?

The basic characters used in XSS are ‘<’ and ‘>’, so the validation consists on searching those chars. You may consider the following tips:
First of all you should avoid from the beginning those chars entries from fields that doesn’t require them at all (for example phone, name, postal code, etc.). Make sure the validation is done also at the server side (see Client-Side Code Manipulation document).


Thanks
V.Vadivelan