from Hacker News

Almost 50% of web pages infected with DOM-based XSS. Learn How it is exploited

by R41 on 2/11/24, 3:56 PM with 3 comments

  • by ptx on 2/11/24, 7:29 PM

    > Whenever anything is sent to the server from the browser, we need proper validation. Input should be properly sanitized before being sent to the server.

    That doesn't sound right. If the attack vector is reflected XSS, i.e. that code (HTML/JS/etc.) is taken from the attacker's input, stored in the database by the server and later injected straight into another user's page, sanitizing it "before being sent to the server" would mean relying on the attacker helpfully sanitizing their own data.

  • by tailspin2019 on 2/11/24, 7:20 PM

    If the author is here could I make a gentle suggestion to change “infected with” to something like “potentially vulnerable to”.

    “Infected” means something very specific and I think its usage in this case comes off as a bit clickbaity and detracts from the credibility of the article.

    The article referenced as the source of that statistic uses more accurate wording (though doesn’t cite its own sources):

    > According to various research and studies, up to 50% of websites are vulnerable to DOM Based XSS vulnerabilities.

    Also, “Almost 50%” != “up to 50%”