Cross-Site Scripting
An attack that injects malicious scripts into web pages viewed by other users
Also known as: XSS, XSS Attack
Category: Concepts
Tags: security, attacks, web-security, vulnerabilities, javascript
Explanation
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious client-side scripts into web pages viewed by other users. When victims visit the compromised page, the injected script executes in their browser with the same privileges as legitimate scripts, enabling attackers to steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of victims.
XSS attacks come in three main forms: Stored XSS (persistent), where malicious scripts are permanently stored on target servers (like in database fields or comment sections); Reflected XSS (non-persistent), where scripts are reflected off web servers through URLs or form submissions; and DOM-based XSS, where the vulnerability exists in client-side code rather than server-side. Each type exploits the browser's trust in content received from the server.
Notable XSS attacks include the Samy worm (2005), which spread across MySpace by adding a million friends in 20 hours through stored XSS. The TweetDeck XSS vulnerability (2014) caused automatic retweeting of malicious tweets. The British Airways breach (2018) used XSS techniques to skim payment card data from 380,000 customers.
Defenses include proper output encoding (HTML, JavaScript, URL, CSS contexts), input validation, implementing Content Security Policy (CSP) headers to restrict script sources, using HTTPOnly and Secure flags on cookies, employing modern frameworks that auto-escape output, and sanitizing rich-text content with libraries like DOMPurify. Regular security testing and code reviews are essential for identifying XSS vulnerabilities.
Related Concepts
← Back to all concepts