Cross-Site Scripting (XSS) Attacks

Reviewed June 01, 2023

These attacks can occur when data enters a Web application through an untrusted source, or data is included in dynamic content that is sent to a web user without being validated for malicious content. Malicious content can be JavaScript, but may also be HTML, Flash, or any other type of code that the browser can execute. XSS attacks can generally be categorized into two categories with a a third, much less well known type called DOM Based XSS.

Stored attacks are those where the injected script is permanently stored on the target servers, in places such as databases, message forums, visitor logs, and comment fields. The victim retrieves the malicious script from the server when it requests the stored information. Stored XSS is also known as Persistent or Type-I. Reflected attacks are those where the injected script is reflected off the web server, example, an error message or search result, or any other response that includes input sent to the server as part of the request. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or browsing to a malicious site, the injected code is sent to the vulnerable web site which then reflects the attack back to the user’s browser which executes the code.

XSS flaws can be difficult to identify. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note: If one part of a website is vulnerable, there is a good chance that there are other problems as well.