Glossary

XSS

TL;DR

XSS (Cross-Site Scripting) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing sensitive data or performing unauthorized actions.


Concept

XSS (Cross-Site Scripting) is a security vulnerability commonly found in web applications that allows attackers to inject malicious scripts (typically JavaScript) into web pages viewed by other users. These scripts execute in the victim’s browser, potentially compromising user data, session tokens, or performing actions on behalf of the user.

Types of XSS attacks include:

  1. Stored XSS (Persistent): Malicious scripts are permanently stored on the target server (in databases, comment fields, etc.) and executed when users access the affected page.

  2. Reflected XSS (Non-Persistent): Malicious scripts are reflected off the web server through links or forms, typically delivered via phishing emails or malicious links.

  3. DOM-based XSS: The attack occurs in the DOM (Document Object Model) rather than the HTML source, where client-side scripts modify the DOM based on user input.

Common XSS attack vectors:

  • Unvalidated user input fields
  • URL parameters
  • Cookies
  • HTTP headers
  • Database content

Potential impacts of XSS attacks:

  • Session hijacking (stealing cookies/session tokens)
  • Account takeover
  • Keylogging
  • Phishing attacks
  • Malware distribution
  • Defacement of web pages
  • Unauthorized actions performed on behalf of users

Prevention techniques include:

  • Input validation and sanitization: Validate and sanitize all user inputs
  • Output encoding: Encode data before rendering in HTML contexts
  • Content Security Policy (CSP): Implement CSP headers to restrict script execution
  • Use secure frameworks: Modern frameworks often have built-in XSS protection
  • Regular security testing: Conduct code reviews and penetration testing

XSS remains one of the most prevalent web application vulnerabilities according to the OWASP Top 10, making proper input validation and output encoding essential practices for secure web development.