What Is Cross-Site Scripting? (2023)

The ability to run scripts is one of the features that makes modern websites so powerful. Using languages such as JavaScript, websites can execute custom code to achieve goals like providing interactive features or deploying content that is personalized for each user.

But website scripting also creates a risk: If malicious parties manage to trick a website into running malicious code, they could execute what's known as a cross-site scripting, or XSS, attack. XSS attacks allow threat actors to run code within unsuspecting users' browsers. Using this approach, attackers can steal sensitive information, impersonate users, or cause other forms of harm. That's why it's critical for website developers and admins to understand how XSS attacks happen and what they can do to protect users against them.

Related: What Is AI-Assisted Coding, and Should You Use It?

This article explains how cross-site scripting works, which techniques attackers use to execute XSS attacks, and what developers can do to mitigate the risk of XSS threats.

(Video) XSS - Cross Site Scripting Explained

What Is Cross-Site Scripting?

Cross-site scripting, or XSS, is an attack technique in which threat actors run malicious scripts on websites. The scripts are most commonly executed using JavaScript, but they can also use languages like Flash, HTML, or any other type of code that a modern web browser will run.

Related: Speed vs. Quality in Software Delivery: 5 Tips for Striking the Right Balance

XSS is a broad category of threat. As explained below, there are several different types of XSS attacks, and threat actors who use XSS may have a variety of end goals in mind. However, what all XSS attacks share in common is that they are enabled by flaws in either the code or configuration of websites that make it possible for threat actors to inject malicious scripts into sites that users deem trustworthy.

Cross-site scripting is so-called because, in most cases, XSS attacks happen when a script hosted on one website or server (typically, a server that attackers control) is injected into a different site that users access. However, this is not always the case. In persistent XSS attacks (which are described in detail below), only a single website is involved. Thus, the term "cross-site scripting" is slightly misleading; XSS attacks don't necessarily involve spreading scripts across distinct websites.

Different Types of Cross-Site Scripting

Cybersecurity researchers have identified three main types of XSS attacks. They are distinguished primarily by the attack technique. The attacks are also different in terms of how easy they are to execute, and how difficult they are to detect.

(Video) What is Cross-Site Scripting?

Persistent XSS

In a persistent XSS attack, attackers store malicious code directly on a compromised website. Hence why it's called "persistent XSS": The malicious script is persistent because it lives on a compromised website.

To execute a persistent XSS attack, attackers have to find a vulnerability inside a website or web server that allows them to upload their malicious code. For example, they might identify an input validation flaw on a content management system (CMS) platform that allows them to insert malicious code into an input box when they are creating comments in order to upload it to the server. If the comment function is available publicly, anyone could exploit the flaw to insert malicious code onto the server.

Once the code has been uploaded, it can be executed every time a user visits the website or web page that it affects. Thus, persistent XSS attacks are particularly dangerous because they don't require users to make mistakes. The only thing a user has to do to be harmed by a persistent XSS attack is to visit a compromised website. That said, these XSS attacks are relatively easy to prevent by validating input to detect malicious code.

Non-persistent XSS

In non-persistent XSS attacks, which are sometimes also called reflected XSS attacks, users are "tricked" into running malicious code on their browsers. From the user's perspective, the code appears to be stored on a website that the user trusts, but in reality it's a malicious script that can be executed locally in a browser.

This XSS attack technique is called non-persistent or reflected because the malicious code is never stored persistently on the affected website. Instead, it's "reflected" from the user's browsers to the website and then back to the browser.

(Video) Cross-Site Scripting (XSS) Explained And Demonstrated By A Pro Hacker!

The most common way to execute a non-persistent XSS attack is to get users to click a link that contains malicious code inside its URL. For example, attackers might create a URL like the following:

What Is Cross-Site Scripting? (1)

This is a simplistic example in which the malicious code (which wouldn't actually run in this case) is plainly visible from actually looking at the URL. In real-world non-persistent XSS attacks, the malicious code is often obfuscated in a way that makes it harder for users (or security tools they may have running on their systems) to detect the malicious script. For example, the malicious code may be represented in hexadecimal form rather than plain text to make it harder to detect.

Non-persistent XSS attacks don't pose quite as much danger as persistent XSS attacks because non-persistent XSS requires users to make a mistake — like clicking on a malicious link — rather than simply visiting a website. However, non-persistent attacks are easier for threat actors to execute because they don't need to find flaws in websites. All they have to do is create hyperlinks that contain malicious code, then display the links on a webpage, email, text message, or other medium where users might view and click on them.


In DOM-based XSS attacks, attackers modify the configuration of a web page's Document Object Model, or DOM, in order to run malicious code.

(Video) XSS Tutorial #1 - What is Cross Site Scripting?

To perform a DOM-based attack, attackers must find a JavaScript property, such as document.URL, into which they can inject malicious input. The input is then executed when the web page is rendered.

DOM-based attacks are the most complex type of XSS attack to execute, and they work only for websites or web applications with specific DOM environments. However, the attraction of a DOM attack from a threat actor's perspective is that this type of attack is very hard to detect because the malicious code never passes through the website or web server. As a result, security tools running on the server, as well as tools that monitor network traffic, can't see the malicious script. Only security software running locally (in other words, on the "client side") has the potential ability to detect the malicious code — and even then, there is no guarantee that client-side tools will properly recognize DOM-based cross-site scripting.

Consequences of Cross-Site Scripting

Because cross-site scripting makes it possible for attackers to run scripts of their choosing on the computers of affected users, there is virtually no limit to the potential consequences of XSS attacks. That said, common effects of XSS attacks include:

  • Stolen credentials and user impersonation: Using malicious scripts that run inside the user's browser, XSS attacks can steal cookies that contain login information. They can then use the cookies to impersonate users by logging into websites as them.
  • Data exfiltration: Malicious scripts running inside browsers can potentially access sensitive information stored inside the browser, such as passwords. In a worst case scenario, the scripts could even access files stored on the local file system, such as private documents.
  • Malicious server-side code: Persistent XSS attacks could potentially be used to plant malware that runs directly on servers, not just in users' browsers. Using that approach, attackers could steal sensitive data as it passes through the web server.

Poor site performance: In general, XSS attacks have the consequence of degrading website performance because they consume resources and make pages slower to load. Thus, even if an XSS attack does not result in user impersonation or data theft, it will still negatively impact users by wasting resources and disrupting the user experience.

(Video) Cross-Site Scripting (XSS) Explained

Best Practices for Preventing Cross-Site Scripting

Since there are multiple types of cross-site scripting attacks, protecting against them requires the employment of several best practices that mitigate the risk of successful XSS breaches:

  • Validate and filter input: The single most important step toward preventing XSS is to ensure that websites and web apps validate input properly. They should never blindly execute data that is injected via forms or URLs.
  • Scan applications: In addition to reviewing code manually for data input risks, developers can leverage source code scanners designed to detect lack of input filtering within applications.
  • Encode output: Where possible, developers should avoid situations where the output that appears in response to user requests is viewable in plaintext. Instead, they should encode it. Encoding reduces the risk that the browser will blindly execute the code.
  • Keep sites up-to-date: Updating website software and the servers that host them helps to protect against vulnerabilities that attackers could use to launch XSS attacks. This is especially important for preventing persistent XSS attacks, since they rely on vulnerabilities in websites or web applications to inject malicious code.
  • Update web browsers: Modern web browsers include sanitizer tools designed to detect XSS attacks. Keeping browsers up-to-date helps ensure that they can identify the latest XSS attack techniques. Developers don't always have control over which browsers their users run, of course, but if they do (which they might in a corporate setting where all employees can be required to use a certain browser, for example), they should ensure that only secure browsers are allowed to connect to their applications.


Cross-site scripting attacks come in many forms, and they can have wide-ranging consequences. In order to protect against these risks, developers and admins must think holistically about how they filter user input, how they manage their software, and how they leverage any tools available on users' devices to mitigate the risk of XSS attacks.

About the author

What Is Cross-Site Scripting? (2)Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.


What is cross-site scripting with example? ›

Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.

What is cross-site scripting briefly describe the three main types? ›

These are: Reflected XSS, where the malicious script comes from the current HTTP request. Stored XSS, where the malicious script comes from the website's database. DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

Why is cross-site scripting called that? ›

The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (taking advantage of a reflected or non- ...

How does cross-site scripting work? ›

Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

What are examples of scripting? ›

You have probably already heard of PHP, Python, JavaScript and jQuery. These are just a few examples of scripting languages that power the web and plenty of applications you and millions of other Internet users execute every day.

What are the two types of cross-site attacks? ›

Types of XSS attacks

XSS attacks can be generally categorized into two main types: non-persistent (reflected) and persistent (stored).

What are the two primary classifications of cross-site scripting? ›

There is no single, standardized classification of the types of cross-site scripting attacks, but most experts distinguish between at least two primary types: non-persistent and persistent. Other sources further divide these two groups into traditional (caused by server-side code) and DOM-based (in client-side code).

What is the most common type of scripting language? ›

JavaScript is the most common coding language in use today around the world. This is for a good reason: most web browsers utilize it and it's one of the easiest languages to learn. JavaScript requires almost no prior coding knowledge — once you start learning, you can practice and play with it immediately.

Is cross-site scripting phishing? ›

XSS attacks

These attacks are often part of a phishing scam, where the evil link is disguised as something more palatable and sent to the victim via email or text message.

Who invented cross-site scripting? ›

A study carried out by Symantic states that more than 50% of the websites are vulnerable to the XSS attack. Security engineers of Microsoft coined the term "Cross-Site Scripting" in January of the year 2000.

What does cross-site scripting allow for attackers? ›

XSS enables an attacker to execute malicious scripts in another user's browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and gets the website to deliver the malicious script.

What does a cross-site request? ›

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.

How often do XSS attacks occur? ›

Cross-site scripting (often shortened to XSS) is a common security vulnerability that is more prevalent in web applications. It's estimated that more than 60% of web applications are susceptible to XSS attacks, which eventually account for more than 30% of all web application attacks.

Which languages are vulnerable to cross-site scripting attacks? ›

XSS Attack: Cross-Site Scripting, or XSS, is one of the most common browser-side vulnerabilities. These types of attacks happen an attacker injects malicious code into a legitimate (but vulnerable) application. Attackers can manipulate JavaScript and HTML to trigger the malicious code or scripts.

What are 4 types of scripts? ›

Here are eight types of scripts that you can write:
  • Original script. Original scripts include those that you create from your own ideas. ...
  • Adapted script. An adapted script re-imagines an existing story or narrative. ...
  • Screenplay. ...
  • Storyboard. ...
  • Spec script. ...
  • Standalone script. ...
  • Pitch script. ...
  • Shooting script.
Mar 11, 2022

What are the 3 scripting languages? ›

JavaScript, Python, and Ruby are all examples of scripting languages.
Most Popular Scripting Languages
  • JavaScript. JavaScript is by far the most popular scripting language. ...
  • PHP. ...
  • Python. ...
  • Perl. ...
  • Ruby.
Nov 7, 2022

What is scripting explain? ›

A scripting language is a programming language that employs a high-level construct to interpret and execute one command at a time. In general, scripting languages are easier to learn and faster to code in than more structured and compiled languages such as C and C++.

What are most common type of XSS attacks? ›

Non-persistent (reflected) XSS is the most common type of cross-site scripting. In this type of attack, the injected malicious script is "reflected" off the web server as a response that includes some or all of the input sent to the server as part of the request.

What is the impact of cross-site scripting vulnerability? ›

Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

What is same site scripting? ›

Same Site Scripting is type of vulnerability that is caused by common DNS misconfiguration.

Which two preventive measures are used to control cross-site scripting? ›

4 Ways to Prevent Cross-Site Scripting Attacks
  • Keep Software Updated. ...
  • Sanitize Input Fields. ...
  • Use Client- and Server-side Form Validation. ...
  • Use a Web Application Firewall.
Oct 18, 2022

What are 3 types of attacks? ›

What are the four types of attacks? The different types of cyber-attacks are malware attack, password attack, phishing attack, and SQL injection attack.

Which of the following language is the primary target of cross-site scripting? ›

SQL is the primary language targeted by cross-site scripting attacks. 3. In a DOM-based XSS, the malicious input is injected into the client application at runtime in the user's browser.

How can cross-site scripting be exploited? ›

Most web applications use cookies for session handling. You can exploit cross-site scripting vulnerabilities to send the victim's cookies to your own domain, then manually inject the cookies into the browser and impersonate the victim.

What is persistent cross-site scripting? ›

A persistent cross-site scripting (stored XSS) attack is possible when a website or web application stores user input and later serves it to other users. Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use.

What is the difference between CSRF and XSS? ›

What is the difference between XSS and CSRF? Cross-site scripting (or XSS) allows an attacker to execute arbitrary JavaScript within the browser of a victim user. Cross-site request forgery (or CSRF) allows an attacker to induce a victim user to perform actions that they do not intend to.

What is the simplest scripting language? ›


HTML, which stands for HyperText Markup Language, is one of the most common programming languages for beginners, as it's often seen as the most straightforward programming language to learn.

What is the best scripting code? ›

Industry experts suggest learning either JavaScript or Python first. They're both popular scripting languages used by professional developers. But if you must choose, go with Python. It's free, open source, and easy to write and implement.

Can cross-site scripting steal cookies? ›

Cookie Theft

This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability.

What is cross-site scripting quizlet? ›

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application.

Does Chrome block cross-site scripting? ›

Chrome has default protection against Reflective XSS attacks. This is not a flaw that sandboxing can address. This protection system works by looking outgoing requests for javascript and preventing that javascript from being executed in the http response. No browser will prevent DOM Based XSS or Stored XSS.

When did cross-site scripting start? ›

Cross-Site Scripting History

The term "cross-site scripting" was introduced in 2000 by Microsoft engineers and soon became the most common web-based application exploit. It remains an extremely common attack. Originally, hackers used Javascript to run an invisible website within a frame of a legitimate website.

When was XSS first discovered? ›

XSS was first found in the year 2000, so we're in the 20th anniversary of the discovery of this exploit. By the year 2007 XSS became the most common exploit of web applications. Today it's still one of the most attacked vulnerabilities, and still ranks as one of the OWASP top 10 web application security risks.

What is broken authentication? ›

Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities. Due to poor design and implementation of identity and access controls, the prevalence of broken authentication is widespread.

Is cross-site scripting used in stealing data? ›

Because XSS can allow untrusted users to execute code in the browser of trusted users and access some types of data, such as session cookies, an XSS vulnerability may allow an attacker to take data from users and dynamically include it in web pages and take control of a site or an application if an administrative or a ...

What is Cross-Site context? ›

When testing for reflected and stored XSS, a key task is to identify the XSS context: The location within the response where attacker-controllable data appears. Any input validation or other processing that is being performed on that data by the application.

Which of the following is the most common result of a cross-site request forgery? ›

It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server.

What is Cross-Site in cyber security? ›

Cross-Site Scripting is a security flaw found in some Web applications that enables unauthorized parties to cause client-side scripts to be executed by other users of the Web application.

Which is the best technique to prevent XSS attacks? ›

To prevent XSS attacks, your application must validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user.

Where does XSS mainly occur? ›

Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post unregulated material to a trusted website for the consumption of other valid users. The most common example can be found in bulletin-board websites which provide web based mailing list-style functionality.

How many websites are vulnerable to cross-site scripting? ›

... According to the Open Web Application Security Project (OWASP), cross-site programming is one of the most common types of computer attacks [5]. Around 65% of websites are exposed to XSS vulnerabilities detected in current web applications [6] , as shown in Figure 1.

What is CORS and XSS? ›

If a website trusts an origin that is vulnerable to cross-site scripting (XSS), then an attacker could exploit the XSS to inject some JavaScript that uses CORS to retrieve sensitive information from the site that trusts the vulnerable application.

What are the two types of web scripting? ›

JavaScript and VB Script programs were designed as components that may be attached to Web browsers to control how they display information.

What threat does a cross-site? ›

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.

What threat is presented by cross-site scripting attacks? ›

In some cases, an XSS attack can lead to a complete compromise of the victim's account. Attackers can trick users into entering credentials on a fake form, which provides all the information to the attacker. Once they obtain user credentials, attacks could use them to commit identity theft or financial fraud.

What is CORS in simple terms? ›

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

What attacks does CORS prevent? ›

To clear things up, CORS by itself does not prevent or protect against any cyber attack. It does not stop cross-site scripting (XSS) attacks. It actually opens up a door that is closed by a security measure called the same-origin policy (SOP).

How do you handle CORS errors? ›

Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.

What is the purpose of scripting? ›

Scripting is primarily used to automate tasks for websites and web applications while using an existing program. It is useful for extracting information from a dataset. Computer programmers, software developers, as well as front-end and back-end developers, use scripting skills in their careers.

Which scripting language is HTML? ›

A Markup Language

HTML is a type of markup language. It encapsulates, or “marks up” data within HTML tags, which define the data and describe its purpose on the webpage. The web browser then reads the HTML, which tells it things like which parts are headings, which parts are paragraphs, which parts are links, etc.

What do you mean by scripting? ›

A scripting language is a programming language that employs a high-level construct to interpret and execute one command at a time. In general, scripting languages are easier to learn and faster to code in than more structured and compiled languages such as C and C++.


1. Cross-site Scripting - SY0-601 CompTIA Security+ : 1.3
(Professor Messer)
2. Cross-Site Scripting (XSS) Explained in 7 minutes
3. What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka
4. Cross-Site Scripting (XSS) Explained And Demonstrated!
(Loi Liang Yang)
5. Cracking Websites with Cross Site Scripting - Computerphile
6. What is Cross Site Scripting (or XSS) Vulnerability in Cybersecurity
(Learn with Whiteboard)
Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 01/29/2023

Views: 6591

Rating: 4.9 / 5 (69 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.