Welcome back! In this chapter, we will take a closer look at one of the most common JavaScript security attacks: cross-site scripting.
Cross-site scripting is a type of attack where the attacker injects code (basically, things such as client-side scripting, which in our case is JavaScript) into the remote server.
If you remember, we did something similar in the previous chapter: we posted something that says alert(), which unfortunately gets saved into our database. When our screen refreshes, the alert gets fired off. This alert() function gets fired off whenever we hit that page.
There are basically two types of cross-site scripting: persistent and nonpersistent.
Persistent cross-site scripting happens when the code injected by the attacker gets stored in a secondary storage, such as a database. As you have already seen in Chapter 2, Secure Ajax RESTful APIs, the testing of security flaws that we performed is a form of persistent cross-site scripting, where our injected alert() function gets stored in MongoDB.
Nonpersistent cross-site scripting requires an unsuspecting user to visit a crafted link made by the attacker; as you may have guessed, if the unsuspecting user visits the specially crafted link, the code will be executed by the user's browser.
For the purposes of this chapter, the exact terminologies of persistent versus nonpersistent cross-site scripting does not matter that much, because both work in a somewhat similar manner in real-world situations. What we will do is provide a series of examples for you to get the hang of the various JavaScript security issues.