According to OWASP Top 10, XSS is the second-most prevalent issue found in the majority of web applications. By using XSS, attackers can bypass the Same Origin Policy (SOP) in a vulnerable application by entering malicious code that is mistakenly interpreted as user input. This can be done with technologies like VBScript, ActiveX, Flash, and even CSS, but JavaScript attacks are the most common.
XSS differs from SQL because it does not target the database of web applications; it mostly limits itself to their front end.
These attacks can be non-persistent, persistent, and DOM-based. The consequences of XSS attacks can be very damaging, especially when combined with social engineering.
From November 2017 to March 2019, 65% of web application attacks worldwide used SQL injection (SQLi). So it’s no surprise that injection attacks were named as the number one threat to web applications by the Open Web Application Security Project (OWASP).
If you’re wondering why SQLi attacks are so frequent, it’s because web forms that use SQL queries to retrieve data are common. From login pages to search queries, online order forms, and more, these web forms are often connected to databases with potentially valuable information such as personal data and financial records.