Cross site scripting (XSS) is an injection attack which is used to inject javascript code into input fields of a web application/ mobile application. There are three types of XSS:
1. Reflected XSS: When the input that you enter in an input field gets reflected back on the web page then you can test for Reflected xss. Enter a javascript code in the input field and observe the response of the web page. The javascript code will be executed thus proving the existence of reflected XSS.
2. Stored XSS: If you observe a place in the website which stores your input and then delivers that input to you every time you open that particular web page then that can be an ideal place to test for Stored XSS. One such example can be of a comment box in a website where you can inject a javascript code and it will be stored by the website. Once the page loads you can observe that the javascript code will execute.
3. DOM XSS: Let us first understand what is DOM. DOM stands for DOcument object model, in simple words it is the structure of the entire web page. If you observe any web page, you will notice that all the buttons, images etc on the web page are aligned on a particular position. This is done with the help of DOM. You can observe the DOM of a web page by right clicking on the mouse and then selecting the Inspect button. Now DOM XSS basically affects the DOM structure. In simple words the javascript code gets injected into the DOM structure and it gets executed as a part of the web page.
Coming to the mitigation of Cross site scripting, it is always a good practice to encode the user input. This can be done by converting all the special characters into their corresponding encoded formats. Example: < will be converted to <
This will prevent the browser from interpreting the code and thus executing it.