Cross-site scripting (XSS) is a security vulnerability allowing a user to alter the code that an application delivers to a user which is executed in the user’s web browser. It is most commonly found in web applications affecting the user’s browser, but also possible in other applications with embedded web content, such as an interactive “help” content viewer.

When an XSS vulnerability is used as an attack vector, input sent by the attacker is insecurely processed within the application in a way that allows the attacker to alter the code sent to the victim and executed on in the web browser.

What Types of Attacks Can Happen from XSS?

XSS vulnerabilities may allow for many different possible attacks against the victim. Such attacks may include:

  • Stealing the login session token, allowing the attacker to interact with the application as the victim without knowing his password
  • Forcing the user to send attacker controlled requests to a server – imagine a vulnerable bank web application forcing you to transfer money
  • Changing the content of page – imagine a popular news site altered to declare a fake stock market crash happened inciting panic
  • Tricking the victim into divulging her password to the application or other applications
  • Infecting the victim with other malicious code using a vulnerability in the web browser itself – possibly taking over the victim’s computer

Some attacks can be sent to the application server and executed against many other users of that application, for example:

  • A vulnerable forum site or comment system allows a user submitted post to be viewed by many other users that each become victims of the attack
  • A vulnerable contact form sends a malicious message to site administrators that gives the attacker access to the “admin panel” when viewed by an administrative user

Other attacks require the attacker convince or trick the user into first loading a malicious link, possibly using email, IM, or a forum post or comment.

How does a Cross-Site Scripting Attack Work?

 

How Do I Prevent This From Happening?
To prevent this vulnerability, developers must validate all input to the application and encode all input that is included in output. This is an essential part of application development and will help prevent many different types of vulnerabilities, not just XSS.