cross-site scripting (XSS)

This definition is part of our Essential Guide: How to hone an effective vulnerability management program
Contributor(s): Kevin Glavin

Cross-site scripting (XSS) is an injection attack which is carried out on Web applications that accept input, but do not properly separate data and executable code before the input is delivered back to a user’s browser.

Like all injection attacks, XSS takes advantage of the fact that browsers can’t tell valid markup from attacker-controlled markup -- they simply execute whatever markup text they receive.  The attack circumvents the Same Origin Policy (SOP), a security measure used in Web browser programming languages such as JavaScript and Ajax. Simply put, Same Origin Policy requires everything on a Web page to come from the same source. When Same Origin Policy is not enforced, an attacker might inject a script and modify the Web page to suit his own purposes, perhaps to extract data that will allow the attacker to impersonate an authenticated user or perhaps to input malicious code for the browser to execute. 

There are a number of security controls that can be used in concert to drastically reduce or entirely remove the threat of cross-site scripting. They include:

  • Input validation - determines if an end user’s input matches the expected format. For example, a browser-side script would not be expected in a phone number field.
  • Content Security Policy (CSP) - restricts which scripts can be run or loaded on a Web page. 
  • Output encoding - tells the browser that certain characters it is going to receive should be treated as display text, rather than executable code.

A typical web page will contain many contexts including, but not limited to: HTML body, HTML attribute, script and CSS. Each of these output contexts relies on different character encodings to prevent the execution of cross-site scripting payloads. Many web languages and frameworks have template engines available that can automatically set the output context for variable data which will be included in the final Web page.

Blacklist input validation, including Web application firewalls (WAFs), should not be counted on to prevent cross-site scripting attacks.  Blacklists are inherently a reactive security measure, dependent upon lists that are often out of date and incomplete.  Output encoding and content-security policies are the strongest solution to the problems XSS attacks pose, but do have limitations: output encoding must be properly set for the expected output context and CSP policies need to be configured so that they are as restrictive as possible.

This was last updated in December 2015

Continue Reading About cross-site scripting (XSS)



Find more PRO+ content and other member only offers, here.

Related Discussions

Margaret Rouse asks:

How dangerous are XSS exploits in today's world?

1  Response So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by: