Learn about JSON web token, OAuth 2, and OpenID Connect for web security and access management.

Web App Security

Web application developers are always on the lookout for ways to secure their applications. Considering the rise in the number of cyber-attacks, this has become the most fundamental part of any web application. This module will serve as our handy guide to the basic terminologies and frameworks related to web application security. 
In this module, we’ll learn what JWT is, how a JWT is created, and what benefits it provides in token-based authentication. We’ll learn about the reason HTTPS was first introduced and how it revolutionized the way data is transferred using techniques like encryption and handshake. We’ll also dive deep into the most commonly used authentication and authorization frameworks called OAuth and OpenId Connect. This module will give us a taste of what web API security is all about and provide us with the foundation to build our subsequent knowledge of application security.

Web Security and Access Management: JWT, OAuth 2, OpenId Connect

## What is a Cross-site Scripting attack?

The Cross-site Scripting attack, also known as XSS attack, is a kind of attack in which a malicious script is added to a website. When a user accesses this website then they accidentally run this malicious script, compromising their  data as the attacker gets control of the user’s browser.


## Types of Cross-site Scripting Attack

The XSS attack can be categorized into two types:

### 1. Stored Cross-site Scripting Attack

This is the most dangerous type of XSS attack because it is very easy for the attacker to inject a malicious script through this method. These attack targets websites that allow user input and store it in the database, e.g. comments.

The attacker writes the malicious script inside the input box, for example, a comment box. When the attacker clicks submit, the malicious script is saved as a comment in the website database. When a user opens this website, the malicious script runs on the browser as soon as the comments load.

The malicious script can attack the user through the following methods:


* Installing browser-based Keyloggers to capture keystrokes of the victim. This can be dangerous as the attacker might use this to get access to social media passwords, email passwords, credit card info, banking passwords, etc.

* Capturing session cookies of the user, which can be used to trigger some other kind of attack, like a [CSRF attack](https://www.educative.io/courses/web-security-access-management-jwt-oauth2-openid-connect/cross-site-request-forgery-csrf).
* Redirecting users to other malicious websites.

![](/api/collection/6650775272947712/6366281604268032/page/4554184234893312/image/5315239600979968)



### 2. Reflected Cross-site Scripting Attack

In this kind of attack, the attacker tricks the user into clicking a link that contains the malicious script. This kind of attack is a bit more difficult to execute than stored XSS.


The user may receive the malicious link through email, search results, or advertisements on another website. As soon as the user clicks on the link, the malicious script is executed on the user’s browser. This script can then steal browser data, such as cookies, and send it to the attacker.


![](/api/collection/6650775272947712/6366281604268032/page/4554184234893312/image/4653816516444160)

# What is a Cross-site Scripting attack?

The Cross-site Scripting attack, also known as XSS attack, is a kind of attack in which a malicious script is added to a website. When a user accesses this website then they accidentally run this malicious script, compromising their  data as the attacker gets control of the user’s browser.


# Types of Cross-site Scripting Attack

The XSS attack can be categorized into two types:

## 1. Stored Cross-site Scripting Attack

This is the most dangerous type of XSS attack because it is very easy for the attacker to inject a malicious script through this method. These attack targets websites that allow user input and store it in the database, e.g. comments.

The attacker writes the malicious script inside the input box, for example, a comment box. When the attacker clicks submit, the malicious script is saved as a comment in the website database. When a user opens this website, the malicious script runs on the browser as soon as the comments load.

The malicious script can attack the user through the following methods:


* Installing browser-based Keyloggers to capture keystrokes of the victim. This can be dangerous as the attacker might use this to get access to social media passwords, email passwords, credit card info, banking passwords, etc.

* Capturing session cookies of the user, which can be used to trigger some other kind of attack, like a [CSRF attack](https://www.educative.io/courses/web-security-access-management-jwt-oauth2-openid-connect/cross-site-request-forgery-csrf).
* Redirecting users to other malicious websites.

![](/api/collection/6650775272947712/6366281604268032/page/4554184234893312/image/5315239600979968)



## 2. Reflected Cross-site Scripting Attack

In this kind of attack, the attacker tricks the user into clicking a link that contains the malicious script. This kind of attack is a bit more difficult to execute than stored XSS.


The user may receive the malicious link through email, search results, or advertisements on another website. As soon as the user clicks on the link, the malicious script is executed on the user’s browser. This script can then steal browser data, such as cookies, and send it to the attacker.


![](/api/collection/6650775272947712/6366281604268032/page/4554184234893312/image/4653816516444160)

This lesson discusses the Cross-Site scripting attack.

Getting started with Web Application Security

HTTPS Basics

JSON Web Token

OAuth

OpenID Connect

Conclusion

Cross-site Scripting Attack (XSS)

What is a Cross-site Scripting attack?

Types of Cross-site Scripting Attack

1. Stored Cross-site Scripting Attack