All about Cross-site scripting (XSS) attack

Cross-site Scripting (XSS)

Cross-site Scripting (XSS) is an attack by injection of code on the client-side. The attacker attempts to execute fake scripts in a victim’s web browser by injecting malicious code into a valid web application or web page. The real attack occurs as the user enters the malicious code running a web application or a web page. The web application or web page turns into a vehicle to convey the pernicious content to the user’s browser. Vulnerable vehicles that are normally utilized for cross-site Scripting assaults are message boards, forums, and web pages that permit comments.

The web application or web page is susceptible to XSS if the data it produces is using unsanitized user input. The victim’s browser will then decode this user data. VBScript, Flash, ActiveX, and even CSS may affect XSS attacks. They are most common in JavaScript, though, mainly because JavaScript is key to most user experiences. You can use many information security tools to counter such attacks.

Cross-Site Scripting (XSS) attacks take place:

  • Data reaches a Web application from an untrusted source, most likely from a web request.
  • The information is used in the complex stuff that is submitted to a web customer for malicious content without validity.

This types of assaults based on XSS is practically boundless, however, they regularly incorporate transmitting private information, such as cookies or other data, to the assailant, diverting the victim to web content managed by the attacker, or performing the different operations related to malicious on the machine of the user under the appearance of the vulnerable site. 

Reflected and Stored XSS Attacks

XSS attacks can normally be sorted into two classes: reflected and stored. There is a third, a considerably less notable kind of XSS attack called DOM Based XSS that is mentioned here separately.

Reflected XSS Attacks

Reflected attacks are ones in which the injected script is reflected from the web server, for instance in an error message, search result, or some other reply that contains any or all of the feedback sent to the server as part of the request. Reflected attacks are transmitted by another path to users, such as through an e-mail address, or some other page. The injected malware transfers to the compromised website if a user is tricked into clicking a malicious connection, uploading a specially built form, or even simply browsing a malicious website, representing the attack back to the browser of the user. Then the user runs the code as it arrived from a “trusted” server. Reflected XSS is sometimes called Type-II XSS or Non-Persistent, too.

Stored XSS Attacks

Stored attacks are those that permanently store the injected script on the targeted machine, such as in a message forum, database, comment area, visitor log, etc. The user then picks up the server’s malicious script as it demands the stored information. Stored XSS is sometimes also called Type-I XSS or Persistent.


Aside from Reflected and Stored XSS, Amit Klein identified another type of XSS, DOM Based XSS in 2005. OWASP proposes the XSS categorization as defined in OWASP Article: Cross-Site Scripting Styles covering all of these XSS concepts, arranging them into a Reflected vs. Stored XSS and Client XSS vs. Server matrix, where DOM Based XSS is a Client XSS subset.

XSS Attack Consequences

The result of an XSS attack seems to be the same, regardless of whether it is reflected or stored (or DOM Based). The distinction lies in how the payload gets to the computer. Should not be misled into believing that a platform called a “brochureware” or “read-only” is not vulnerable to serious XSS attacks. XSS can create a number of end-user problems that vary in severity from an inconvenience to finishing a compromised account. The most severe XSS actions target disclosing the session cookie of the user, enabling an attacker to steal the session of the user and take over the account. Many destructive attacks include the installation of Trojan horse applications, exposing end-user files, redirecting the user to some other website, or platform or modifying content delivery. An XSS vulnerability that allows an attacker to change a press release or news article can influence the stock price of a business, or decrease customer trust. A vulnerability of XSS on a pharmaceutical site could permit an attacker to adjust dose data bringing about an overdose.

How you know If You Are Vulnerable

XSS flaws in a web application can be difficult to find and delete. The easiest way to detect vulnerabilities is to do a web protection review and to look for any areas where input from an HTTP request might potentially enter the HTML output. Notice that they can use a number of various HTML tags to convey a malicious JavaScript. Nikto, Nessus, and some other accessible instruments can help examine a site for these flaws, however, can just start to expose what’s underneath. If a piece of a site is weak, there is a high probability that there are different issues also.

How to Protect Yourself

The OWASP XSS Security Cheat Sheet outlines the key protections against XSS.

Even, shutting off the HTTP TRACE service on all web servers is important. An attacker can steal cookie data via Javascript, even if the browser disables or does not support the document cookie. This assault is launched when a user posts a malicious content to a website, and if another user clicks on the connection, it causes an asynchronous HTTP Trace request that collects cookie information from the server from the user and then transfers it to another malicious site that collects cookie information so that the attacker can launch a session hijack assault. This is effortlessly moderated by removing support for HTTP TRACE on all network servers.

Many institutions have developed a series of modular security modules in several languages including validation and escape routines to avoid parameter manipulation and XSS attack injection. CISSP training is very effective for the protection against these attacks.