Definition

cross-site scripting (XSS)

This definition is part of our Essential Guide: How to prepare for the emerging threats to your systems and data
Contributor(s): Linda Rosencrance

Cross-site scripting (XSS) is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites. Cross-site scripting attacks happen when an untrusted source is allowed to inject its own code into a web application, and that malicious code is included with dynamic content delivered to a victim's browser.

Malicious scripts are often delivered in the form of bits of JavaScript code executed by the victim's browser, but exploits can incorporate malicious executable code in many other languages, including Java, Ajax, Flash and HTML. Cross-site scripting attacks can be very serious, but mitigating the vulnerabilities that enable such attacks is relatively easy.

Cross-site scripting allows an attacker to execute malicious scripts in another user's browser. However, the attacker doesn't attack the victim directly; rather, the attacker exploits a vulnerability in a website the victim visits and gets the website to deliver the malicious script for the attacker.

How cross-site scripting works

Like all injection attacks, XSS takes advantage of the fact that browsers can't tell valid markup from attacker-controlled markup -- they just execute whatever markup text they receive. The attack circumvents the Same Origin Policy, which is intended to prevent scripts originating in one website from interacting with scripts from a different website.

The Same Origin Policy requires that all content on a webpage come from the same source. When the Same Origin Policy isn't enforced, an attacker is able to inject a script and modify the webpage to suit their own purposes -- for example, to extract data that will allow the attacker to impersonate an authenticated user, or to input malicious code for the browser to execute.

XSS can be used in a number of ways to cause serious problems. The traditional use of XSS enables an attacker to steal session cookies, allowing that attacker to pretend to be the user (victim). But it's not just stealing cookies; attackers can use XSS to spread malware, deface websites, create havoc on social networks, phish for credentials and in conjunction with social engineering techniques, perpetrate more damaging attacks.

Cross-site scripting

Types of XSS vulnerabilities

There are three main categories of cross-site scripting vulnerabilities: stored XSS, reflected XSS and DOM-based XSS.

Stored (persistent) XSS is the most damaging type of cross-site scripting attack. The attacker injects a script -- also called the payload -- that is stored permanently on the target application, such as a database. For example, an attacker inserts a malicious script on a blog, in a forum post or in a comment field.

The XSS payload will be then be served as part of a webpage when the victim navigates to the affected webpage in a browser. Then, once the victim views the page in a browser, he will end up inadvertently executing the malicious script.

Reflected XSS is the most common type of cross-site scripting vulnerability. In this type of attack, the attacker has to deliver the payload to the victim. Therefore, the attacker's payload script must be part of the request sent to the web server and reflected back so the HTTP response includes the payload from the HTTP request.

The attacker uses phishing emails and other social engineering methods to lure the victim to inadvertently make a request to the server that includes the XSS payload. The victim then executes the script that gets reflected and executed inside the browser. Because reflected XSS isn't a persistent attack, the attacker must deliver the payload to each victim.

DOM-based cross-site scripting is an advanced type of XSS attack made possible when the web application's client-side script writes user-provided data to the Document Object Model (DOM).

The web application then reads the data from the DOM and delivers it to the browser. If the data isn't handled correctly, the attacker is able to inject a payload that will be stored as part of the DOM. The payload is then executed when the data is read back from the DOM.

Cross-site scripting prevention methods

The following are best known practices to prevent cross-site scripting:

Escaping user input is one way to prevent XSS vulnerabilities from appearing in applications. This means taking the data an application has received and ensuring it's secure before rendering it for the user. Escaping user input prevents key characters in the data that a webpage receives from being interpreted as executable code. This means preventing the browser from interpreting characters used to signal the start or end of executable code, and it translates them to "escaped." For example, quote characters, parentheses, brackets and some other punctuation marks are sometimes used to set off executable code; "escaping" these characters means converting them from single characters that would not be displayed into strings that the browser interprets as printable versions of the characters.

Sanitizing user input is another way to prevent cross-site scripting attacks, which is especially helpful on sites that allow HTML markup. This prevention method scrubs the data clean of potentially executable characters, changing unacceptable user input to an acceptable format and ensuring the data received  can't be interpreted as executable code.

Input validation makes certain an application is rendering the correct data and preventing malicious data from harming a website, database and users. Validating input helps prevent XSS in forms because it stops a user from adding special characters into webpage data entry fields by refusing the request. Input validation helps reduce the possibility of harmful effects if an attacker should discover such an XSS vulnerability.

This was last updated in February 2018 ???publishDate.suggestedBy???

Continue Reading About cross-site scripting (XSS)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I think that XSS vulnerabilities seem to be the most widely spread category of security vulnerabilities in contemporary web applications. They can also be extremely dangerous in cases where the payload is executed in the browser of an administrator. In fact, administrators can be the most vulnerable group of users: They often have more features available to them, thus providing a much greater attack surface.
I would also point out that, as far as I know, xss filters built into browsers can only protect against reflected xss attacks. Any stored xss attacks will not be distinguishable from intended scripts and are thus executed.

My experience is mostly from a penetration testing perspective however. It would be interesting to know whether someone has encountered real-world xss based attacks to their web applications or has experience in how to apply sufficient filters to protect against such attacks.
Cancel
What are the most effective methods you use to defend against cross-site scripting attacks?
Cancel
How dangerous are XSS exploits in today's world?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close