cross-site scripting (XSS)

This definition is part of our Essential Guide: How to prepare for the emerging threats to your systems and data
Contributor(s): Kevin Glavin

Cross-site scripting (XSS) is an injection attack which is carried out on Web applications that accept input, but do not properly separate data and executable code before the input is delivered back to a user’s browser.

Like all injection attacks, XSS takes advantage of the fact that browsers can’t tell valid markup from attacker-controlled markup -- they simply execute whatever markup text they receive.  The attack circumvents the Same Origin Policy (SOP), a security measure used in Web browser programming languages such as JavaScript and Ajax. Simply put, Same Origin Policy requires everything on a Web page to come from the same source. When Same Origin Policy is not enforced, an attacker might inject a script and modify the Web page to suit his own purposes, perhaps to extract data that will allow the attacker to impersonate an authenticated user or perhaps to input malicious code for the browser to execute. 

There are a number of security controls that can be used in concert to drastically reduce or entirely remove the threat of cross-site scripting. They include:

  • Input validation - determines if an end user’s input matches the expected format. For example, a browser-side script would not be expected in a phone number field.
  • Content Security Policy (CSP) - restricts which scripts can be run or loaded on a Web page. 
  • Output encoding - tells the browser that certain characters it is going to receive should be treated as display text, rather than executable code.

A typical web page will contain many contexts including, but not limited to: HTML body, HTML attribute, script and CSS. Each of these output contexts relies on different character encodings to prevent the execution of cross-site scripting payloads. Many web languages and frameworks have template engines available that can automatically set the output context for variable data which will be included in the final Web page.

Blacklist input validation, including Web application firewalls (WAFs), should not be counted on to prevent cross-site scripting attacks.  Blacklists are inherently a reactive security measure, dependent upon lists that are often out of date and incomplete.  Output encoding and content-security policies are the strongest solution to the problems XSS attacks pose, but do have limitations: output encoding must be properly set for the expected output context and CSP policies need to be configured so that they are as restrictive as possible.

This was last updated in December 2015

Continue Reading About cross-site scripting (XSS)



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I think that XSS vulnerabilities seem to be the most widely spread category of security vulnerabilities in contemporary web applications. They can also be extremely dangerous in cases where the payload is executed in the browser of an administrator. In fact, administrators can be the most vulnerable group of users: They often have more features available to them, thus providing a much greater attack surface.
I would also point out that, as far as I know, xss filters built into browsers can only protect against reflected xss attacks. Any stored xss attacks will not be distinguishable from intended scripts and are thus executed.

My experience is mostly from a penetration testing perspective however. It would be interesting to know whether someone has encountered real-world xss based attacks to their web applications or has experience in how to apply sufficient filters to protect against such attacks.
How dangerous are XSS exploits in today's world?


File Extensions and File Formats

Powered by: