NEW

2024 True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Cross-Site Scripting (XSS): Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

What Is Cross-Site Scripting?

Cross-site scripting is an application-layer attack exploiting communications between users and applications to gain access to sensitive data or even take over entire applications. Attackers can use vulnerabilities in web applications to send malicious scripts to another end user and then impersonate that user. XSS attacks also provide a gateway for bad actors to carry out phishing, cookie theft, and keylogging.

Attackers can hide these attacks inside legitimate websites. For example, they might inject code into a website that sends them cookie information from any user that visits the website. Since cookies often include saved user identification information, the attacker could be able to impersonate that user.

Cross-Site Scripting is a type of code injection attack.

Examples of XSS Attacks

Reflected XSS

A user unknowingly requests malicious javascript code from a website, e.g. by clicking on a shortened URL, and that code is included in the response.

Stored (Persistent) XSS

Attackers hide malicious code on application pages like message boards or comment fields, and every time a user views the infected page, that file is transmitted to their browser.

DOM-Based XSS

An attacker modifies the Document Object Model (DOM) API environment of an HTML or XML document, and a web application writes data to that DOM before sanitizing it. The client-side code then executes a malicious payload.

Protection Against XSS Attacks

There are several ways to protect against cross-site scripting attacks, but here are the top three:

  1. Sanitize user input
  2. Validate user input
  3. Use a content security policy

Sanitizing GET requests and cookies will help you protect sites that allow HTML markup which bad actors can manipulate. Validating data by testing all user and application inputs helps prevent attackers from inserting special characters into dropdown fields in forms. Content security policies tell browsers which content from which domains to accept.

Detection of this attack can be enhanced using decryption. This is because XSS attacks are often performed over port 443 with encryption protocols such as TLS. For that reason, it's critical that security tools have decryption capabilities for all common encryption protocols including TLS 1.3.


The term "cross-site scripting" was introduced in 2000 by Microsoft engineers and soon became the most common web-based application exploit. It remains an extremely common attack. Originally, hackers used Javascript to run an invisible website within a frame of a legitimate website. That allowed them to get data that was entered on the legitimate website and run malicious code.