Cross-site Scripting: What is it and how can you protect yourself?

Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Cross-site Scripting (XSS) is one of the most common application level attacks that hackers use to sneak into web applications today.

What is Cross-site Scripting (XSS)?

Cross-site Scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. The goal of the XSS attack is to steal sensitive client information, distribute malicious software, among others.

Common Threats of XSS:

– Cookie theft – The attacker can access the victim’s cookies associated with the website, send them to his own server, and use them to extract sensitive information.

– Keylogging – The attacker can record all keystrokes and then send that record to his own server, potentially recording sensitive information such as passwords and credit card numbers.

– Phishing – The attacker can insert a fake login form into the webpage and trick the user into submitting sensitive information such as their username and password.

Forms of XSS Attacks:

– Non-Persistent – Non-persistent attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will often times take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim’s knowledge. Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user’s browser and execute.

– Persistent – Persistent attacks occur when the malicious code is submitted to a web site where it’s stored for a period of time. Examples of an attacker’s favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

How to Protect Yourself:

– Exercise caution when clicking on links sent by email or instant message. Be suspicious of overly long links, especially those that look like they contain HTML code. When in doubt, type the domain name manually into your browser location bar and navigate to the appropriate location.

– With respect to XSS vulnerabilities, no Web browser has a clear security advantage.

– While never 100% effective, avoiding questionable websites such as those offering hacking information/ tools, warez, or pornography is advisable. These types of websites have been known to exploit Web browser vulnerabilities and compromise operating systems. When in doubt, disable JavaScript, Java, and ActiveX prior to your visit.

Cross-site scripting is gaining popularity among attackers as an easy exposure to find in Web sites. Every month cross-site scripting attacks are found in commercial sites and advisories are published explaining the threat. Left unattended, your Web site’s ability to operate securely, as well as your company’s reputation, may become victim of the attacks.

To learn more about Cross-site Scripting, refer to OWASP’s page at:

Written by Joe H.