But website scripting also creates a risk: If malicious parties manage to trick a website into running malicious code, they could execute what's known as a cross-site scripting, or XSS, attack. XSS attacks allow threat actors to run code within unsuspecting users' browsers. Using this approach, attackers can steal sensitive information, impersonate users, or cause other forms of harm. That's why it's critical for website developers and admins to understand how XSS attacks happen and what they can do to protect users against them.
Related: What Is AI-Assisted Coding, and Should You Use It?
This article explains how cross-site scripting works, which techniques attackers use to execute XSS attacks, and what developers can do to mitigate the risk of XSS threats.
What Is Cross-Site Scripting?
Related: Speed vs. Quality in Software Delivery: 5 Tips for Striking the Right Balance
XSS is a broad category of threat. As explained below, there are several different types of XSS attacks, and threat actors who use XSS may have a variety of end goals in mind. However, what all XSS attacks share in common is that they are enabled by flaws in either the code or configuration of websites that make it possible for threat actors to inject malicious scripts into sites that users deem trustworthy.
Cross-site scripting is so-called because, in most cases, XSS attacks happen when a script hosted on one website or server (typically, a server that attackers control) is injected into a different site that users access. However, this is not always the case. In persistent XSS attacks (which are described in detail below), only a single website is involved. Thus, the term "cross-site scripting" is slightly misleading; XSS attacks don't necessarily involve spreading scripts across distinct websites.
Different Types of Cross-Site Scripting
Cybersecurity researchers have identified three main types of XSS attacks. They are distinguished primarily by the attack technique. The attacks are also different in terms of how easy they are to execute, and how difficult they are to detect.
In a persistent XSS attack, attackers store malicious code directly on a compromised website. Hence why it's called "persistent XSS": The malicious script is persistent because it lives on a compromised website.
To execute a persistent XSS attack, attackers have to find a vulnerability inside a website or web server that allows them to upload their malicious code. For example, they might identify an input validation flaw on a content management system (CMS) platform that allows them to insert malicious code into an input box when they are creating comments in order to upload it to the server. If the comment function is available publicly, anyone could exploit the flaw to insert malicious code onto the server.
Once the code has been uploaded, it can be executed every time a user visits the website or web page that it affects. Thus, persistent XSS attacks are particularly dangerous because they don't require users to make mistakes. The only thing a user has to do to be harmed by a persistent XSS attack is to visit a compromised website. That said, these XSS attacks are relatively easy to prevent by validating input to detect malicious code.
In non-persistent XSS attacks, which are sometimes also called reflected XSS attacks, users are "tricked" into running malicious code on their browsers. From the user's perspective, the code appears to be stored on a website that the user trusts, but in reality it's a malicious script that can be executed locally in a browser.
This XSS attack technique is called non-persistent or reflected because the malicious code is never stored persistently on the affected website. Instead, it's "reflected" from the user's browsers to the website and then back to the browser.
The most common way to execute a non-persistent XSS attack is to get users to click a link that contains malicious code inside its URL. For example, attackers might create a URL like the following:
This is a simplistic example in which the malicious code (which wouldn't actually run in this case) is plainly visible from actually looking at the URL. In real-world non-persistent XSS attacks, the malicious code is often obfuscated in a way that makes it harder for users (or security tools they may have running on their systems) to detect the malicious script. For example, the malicious code may be represented in hexadecimal form rather than plain text to make it harder to detect.
Non-persistent XSS attacks don't pose quite as much danger as persistent XSS attacks because non-persistent XSS requires users to make a mistake — like clicking on a malicious link — rather than simply visiting a website. However, non-persistent attacks are easier for threat actors to execute because they don't need to find flaws in websites. All they have to do is create hyperlinks that contain malicious code, then display the links on a webpage, email, text message, or other medium where users might view and click on them.
In DOM-based XSS attacks, attackers modify the configuration of a web page's Document Object Model, or DOM, in order to run malicious code.
DOM-based attacks are the most complex type of XSS attack to execute, and they work only for websites or web applications with specific DOM environments. However, the attraction of a DOM attack from a threat actor's perspective is that this type of attack is very hard to detect because the malicious code never passes through the website or web server. As a result, security tools running on the server, as well as tools that monitor network traffic, can't see the malicious script. Only security software running locally (in other words, on the "client side") has the potential ability to detect the malicious code — and even then, there is no guarantee that client-side tools will properly recognize DOM-based cross-site scripting.
Consequences of Cross-Site Scripting
Because cross-site scripting makes it possible for attackers to run scripts of their choosing on the computers of affected users, there is virtually no limit to the potential consequences of XSS attacks. That said, common effects of XSS attacks include:
- Stolen credentials and user impersonation: Using malicious scripts that run inside the user's browser, XSS attacks can steal cookies that contain login information. They can then use the cookies to impersonate users by logging into websites as them.
- Data exfiltration: Malicious scripts running inside browsers can potentially access sensitive information stored inside the browser, such as passwords. In a worst case scenario, the scripts could even access files stored on the local file system, such as private documents.
- Malicious server-side code: Persistent XSS attacks could potentially be used to plant malware that runs directly on servers, not just in users' browsers. Using that approach, attackers could steal sensitive data as it passes through the web server.
Poor site performance: In general, XSS attacks have the consequence of degrading website performance because they consume resources and make pages slower to load. Thus, even if an XSS attack does not result in user impersonation or data theft, it will still negatively impact users by wasting resources and disrupting the user experience.
Best Practices for Preventing Cross-Site Scripting
Since there are multiple types of cross-site scripting attacks, protecting against them requires the employment of several best practices that mitigate the risk of successful XSS breaches:
- Validate and filter input: The single most important step toward preventing XSS is to ensure that websites and web apps validate input properly. They should never blindly execute data that is injected via forms or URLs.
- Scan applications: In addition to reviewing code manually for data input risks, developers can leverage source code scanners designed to detect lack of input filtering within applications.
- Encode output: Where possible, developers should avoid situations where the output that appears in response to user requests is viewable in plaintext. Instead, they should encode it. Encoding reduces the risk that the browser will blindly execute the code.
- Keep sites up-to-date: Updating website software and the servers that host them helps to protect against vulnerabilities that attackers could use to launch XSS attacks. This is especially important for preventing persistent XSS attacks, since they rely on vulnerabilities in websites or web applications to inject malicious code.
- Update web browsers: Modern web browsers include sanitizer tools designed to detect XSS attacks. Keeping browsers up-to-date helps ensure that they can identify the latest XSS attack techniques. Developers don't always have control over which browsers their users run, of course, but if they do (which they might in a corporate setting where all employees can be required to use a certain browser, for example), they should ensure that only secure browsers are allowed to connect to their applications.
Cross-site scripting attacks come in many forms, and they can have wide-ranging consequences. In order to protect against these risks, developers and admins must think holistically about how they filter user input, how they manage their software, and how they leverage any tools available on users' devices to mitigate the risk of XSS attacks.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.
Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.What is cross-site scripting briefly describe the three main types? ›
These are: Reflected XSS, where the malicious script comes from the current HTTP request. Stored XSS, where the malicious script comes from the website's database. DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.Why is cross-site scripting called that? ›
Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.What are examples of scripting? ›
Types of XSS attacks
XSS attacks can be generally categorized into two main types: non-persistent (reflected) and persistent (stored).
There is no single, standardized classification of the types of cross-site scripting attacks, but most experts distinguish between at least two primary types: non-persistent and persistent. Other sources further divide these two groups into traditional (caused by server-side code) and DOM-based (in client-side code).What is the most common type of scripting language? ›
These attacks are often part of a phishing scam, where the evil link is disguised as something more palatable and sent to the victim via email or text message.
A study carried out by Symantic states that more than 50% of the websites are vulnerable to the XSS attack. Security engineers of Microsoft coined the term "Cross-Site Scripting" in January of the year 2000.
XSS enables an attacker to execute malicious scripts in another user's browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and gets the website to deliver the malicious script.What does a cross-site request? ›
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.How often do XSS attacks occur? ›
Cross-site scripting (often shortened to XSS) is a common security vulnerability that is more prevalent in web applications. It's estimated that more than 60% of web applications are susceptible to XSS attacks, which eventually account for more than 30% of all web application attacks.Which languages are vulnerable to cross-site scripting attacks? ›
- Original script. Original scripts include those that you create from your own ideas. ...
- Adapted script. An adapted script re-imagines an existing story or narrative. ...
- Screenplay. ...
- Storyboard. ...
- Spec script. ...
- Standalone script. ...
- Pitch script. ...
- Shooting script.
Most Popular Scripting Languages
- PHP. ...
- Python. ...
- Perl. ...
A scripting language is a programming language that employs a high-level construct to interpret and execute one command at a time. In general, scripting languages are easier to learn and faster to code in than more structured and compiled languages such as C and C++.What are most common type of XSS attacks? ›
Non-persistent (reflected) XSS is the most common type of cross-site scripting. In this type of attack, the injected malicious script is "reflected" off the web server as a response that includes some or all of the input sent to the server as part of the request.What is the impact of cross-site scripting vulnerability? ›
Cross site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.What is same site scripting? ›
Same Site Scripting is type of vulnerability that is caused by common DNS misconfiguration.
- Keep Software Updated. ...
- Sanitize Input Fields. ...
- Use Client- and Server-side Form Validation. ...
- Use a Web Application Firewall.
What are the four types of attacks? The different types of cyber-attacks are malware attack, password attack, phishing attack, and SQL injection attack.Which of the following language is the primary target of cross-site scripting? ›
SQL is the primary language targeted by cross-site scripting attacks. 3. In a DOM-based XSS, the malicious input is injected into the client application at runtime in the user's browser.How can cross-site scripting be exploited? ›
A persistent cross-site scripting (stored XSS) attack is possible when a website or web application stores user input and later serves it to other users. Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use.What is the difference between CSRF and XSS? ›
HTML and CSS
HTML, which stands for HyperText Markup Language, is one of the most common programming languages for beginners, as it's often seen as the most straightforward programming language to learn.
This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application.
Cross-Site Scripting History
XSS was first found in the year 2000, so we're in the 20th anniversary of the discovery of this exploit. By the year 2007 XSS became the most common exploit of web applications. Today it's still one of the most attacked vulnerabilities, and still ranks as one of the OWASP top 10 web application security risks.What is broken authentication? ›
Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities. Due to poor design and implementation of identity and access controls, the prevalence of broken authentication is widespread.Is cross-site scripting used in stealing data? ›
Because XSS can allow untrusted users to execute code in the browser of trusted users and access some types of data, such as session cookies, an XSS vulnerability may allow an attacker to take data from users and dynamically include it in web pages and take control of a site or an application if an administrative or a ...What is Cross-Site context? ›
When testing for reflected and stored XSS, a key task is to identify the XSS context: The location within the response where attacker-controllable data appears. Any input validation or other processing that is being performed on that data by the application.Which of the following is the most common result of a cross-site request forgery? ›
It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server.What is Cross-Site in cyber security? ›
Cross-Site Scripting is a security flaw found in some Web applications that enables unauthorized parties to cause client-side scripts to be executed by other users of the Web application.Which is the best technique to prevent XSS attacks? ›
To prevent XSS attacks, your application must validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user.Where does XSS mainly occur? ›
Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post unregulated material to a trusted website for the consumption of other valid users. The most common example can be found in bulletin-board websites which provide web based mailing list-style functionality.
... According to the Open Web Application Security Project (OWASP), cross-site programming is one of the most common types of computer attacks . Around 65% of websites are exposed to XSS vulnerabilities detected in current web applications  , as shown in Figure 1.What is CORS and XSS? ›
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.What threat is presented by cross-site scripting attacks? ›
In some cases, an XSS attack can lead to a complete compromise of the victim's account. Attackers can trick users into entering credentials on a fake form, which provides all the information to the attacker. Once they obtain user credentials, attacks could use them to commit identity theft or financial fraud.What is CORS in simple terms? ›
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.What attacks does CORS prevent? ›
To clear things up, CORS by itself does not prevent or protect against any cyber attack. It does not stop cross-site scripting (XSS) attacks. It actually opens up a door that is closed by a security measure called the same-origin policy (SOP).How do you handle CORS errors? ›
Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.What is the purpose of scripting? ›
Scripting is primarily used to automate tasks for websites and web applications while using an existing program. It is useful for extracting information from a dataset. Computer programmers, software developers, as well as front-end and back-end developers, use scripting skills in their careers.Which scripting language is HTML? ›
A Markup Language
HTML is a type of markup language. It encapsulates, or “marks up” data within HTML tags, which define the data and describe its purpose on the webpage. The web browser then reads the HTML, which tells it things like which parts are headings, which parts are paragraphs, which parts are links, etc.
A scripting language is a programming language that employs a high-level construct to interpret and execute one command at a time. In general, scripting languages are easier to learn and faster to code in than more structured and compiled languages such as C and C++.