IT Security Outsourced IT

Cross-Site Scripting

What is Cross-Site Scripting?

In a cross-site scripting (XSS) attack, a cyberattacker injects malicious executable scripts into the code of a trusted website or application. In order to carry out an XSS attack, a cyberattacker injects malicious script into user-provided input, and they can also do this by modifying a request. Often, the malicious code is either added to the end of a URL or posted directly onto a page that displays user-generated content. If a web application is vulnerable to XSS attacks, the user-supplied input executes as code, since it believes that the script came from a trusted source. Once executed, the malicious script can access any cookies, session tokens, keystrokes, or any other sensitive information retained by the browser and used on that website. XSS attacks have two primary categories1:

Stored XSS. Stored XSS attacks are those where the injected script is permanently stored on the target servers in locations such as databases, messaging forums, visitor logs, or comment fields. When a user requests the stored information, the malicious script is retrieved. Stored XSS can be referred to as Persistent or Type-I XSS. A form of Persistent XSS, blind cross-site scripting, occurs when the attacker input is saved by the server and displayed in another part of the application or in another application.

Reflected XSS. Reflected XSS attacks are those where the injected script is reflected off the web server in responses such as error messages, search results, or other responses that include some or all of the input sent to the server as part of the request. Reflected XSS attacks are generally delivered to the victim through emails or on websites where the victim unwittingly clicks on a malicious link or visits a malicious site where the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. Since the browser recognizes the server as a trusted source, the browser can then execute the code. Reflected XSS can be referred to as Non-Persistent or Type-II XSS.

To protect yourself from XSS attacks:

  • Implement output encoding
  • Perform user input validation
  • Never trust user input
  • Ensure web application is developed with XSS vulnerability prevention in mind
  • Conduct penetration tests
  • Implement a content-security policy
  • Sanitize HTML to ensure that malicious users cannot inject scripts in their HTML submissions
  • Mark cookies as HTTP-only, meaning that cookies will be received, stored, and sent by the browser, but cannot be modified or read by JavaScript

1 OWASP, 2022, “Cross Site Scripting (XSS)”