Cross Site Scripting (XSS)

Bart Lenaerts-Bergmans - May 19, 2023

What Is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.

Web forums, message boards, blogs, and other websites that allow users to post their content are the most susceptible to XSS attacks. Unless the input is reviewed, verified, and encoded by the web application, any malicious script included in the code will automatically run by other users’ browsers. This script can then access the user’s cookies, session tokens, or alternative sensitive information retained by the browser and used on that site. It is even possible for these scripts to rewrite the infected web page’s content in more advanced attacks.

Fileless and script-based attacks, such as XSS, are on the rise in recent years due to their avoidance capability. These attacks can easily circumvent traditional anti-virus (AV) solutions and firewalls, making them relatively simple to carry out. Organizations need to include XSS detection and prevention as part of their overall cybersecurity strategy to protect their website visitors and reduce the risk of reputational harm to the organization.

How Does Cross Site Scripting Work?

It is important to note that XSS attack’s mechanics will vary based on the type of attack being deployed. That said, most attacks follow the same process:

  1. The attacker identifies a place and method for which to inject malicious code into a web page. For this to be possible, the website must allow users to add content to the page through comments, posts, or contact fields.If the attacker has a defined target, they will employ social engineering tactics, including phishing and spoofing techniques to encourage the user to visit the site in question. Otherwise, the code is left for any user to discover.
  2. The victim visits the website with the injected code. Their device will accept and execute the infected script because it considers it part of the source code from a trusted site. Given that the code is not visible and most internet users do not understand common programming languages, such as JavaScript, it is difficult for the average user to detect XSS attacks.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

XSS Attack Types With Examples

There are three main types of Cross Site Scripting attacks:

1. Reflected or Non-Persistent XSS

The malicious script is executed as part of an active HTTP request and is “reflected” from the web server to the user.

The most straightforward variety of Cross Site Scripting, Reflected XSS attacks occur when a web application receives data from an HTTP request and then responds immediately without validating or encoding the data.

The following is an example of a reflected XSS:
<p>Status: All is great.</p>

Because the application does not process the data in any way, the attacker can easily launch a script-based attack like the one below on other users.<script>/*+Malicious+code+here...+*/</script>
<p>Status: <script>/* Malicious code here... */</script></p>

In a reflected attack, the injected script presents itself as an error message, search result, or similar action through a malicious link. When clicked, this link will execute the script, which allows the injected code to travel to the vulnerable site and “reflect” back to the user’s browser. The browser executes the code because it considers the site a trusted source. The script can then perform any action available to the user in that session, as well as capture any data transmitted by the user during the session.

2. Stored or Persistent XSS

The malicious script is saved permanently in the web application’s database, such as the visitor log, web forum, or comment field.

Stored XSS attacks, also known as persistent XSS attacks, occur when a web application shares data from an untrusted or unverified source in subsequent HTTP responses. In a Stored Cross Site Script attack, the injected script is saved permanently on the target servers, such as in a database, message board post, comment, or other location. For instance:

<p>Hi, this is my comment!</p>

If the site doesn’t process the data submitted, an attacker can easily input content that includes a malicious script that will infect other users. The victim retrieves the malicious script from the server when it requests the stored information.

<p><script>/* Malicious code here... */</script></p>

3. Document Object Model or DOM-Based XSS

The security vulnerability exists on the client-side code, which is code that runs in the browser instead of the server-side code.

DOM XSS is a relatively uncommon cross site script type of attack. Unlike the other two attack types, which target server-side code, a DOM XSS attack exploits security vulnerabilities on the client-side code or code that runs in the browser. An attack of this nature occurs when a web application processes JavaScript data from an untrusted source in an unsafe way. DOM XSS attacks always happen in JavaScript because Java is the only language that all browsers understand.

In the following example, an application uses JavaScript to read  the values from an input field. Then, it writes those values within an element of the HTML.

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

When attackers control the value of the input field, they can very easily insert the malicious code that triggers their script.

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

Additional XSS Classification Methods

It is important to note that while each of these three attack types is distinct, they are not exclusive. There is some overlap between each category, where adversaries can employ elements from two attack types in a single offense.
For this reason, the cybersecurity community refers to XSS attacks based on where the code is exploited—either the server or the client. They may refer to attacks as Server XSS or Client XSS.

Learn More

See how you can quickly monitor for vulnerabilities with the systems and applications in your organization. Watch: Using Falcon Spotlight for Vulnerability Management

Different cross site scripting approaches

An XSS attack can occur any place where input from an HTTP request could make its way into the HTML output. Below is a list of common tactics that attackers may leverage in an XSS attack:

  • Utilize a <script> tag to reference, insert or embed malicious JavaScript code.
  • Exploit JavaScript event attributes, such as onload and onerror, within different tags.
  • Deliver an XSS payload within the <body> tag through JavaScript event attributes.
  • Exploit unsecured <img>, <link>, <div>, <table>, <td> or <object> tags to reference malicious script.
  • Leverage the <iframe> tag to embed a webpage within the existing page.

What Are the Impacts of XSS?

XSS attacks can result in significant issues for victims. In extreme cases, XSS attackers can leverage user cookies to masquerade as that person. The code can also steal files and data or install malware on the device.

On the server-side, XSS attacks can result in reputational harm to the host organization. For example, by changing the content on a corporate site, attackers can spread misinformation about the company’s business practices or activities. The adversary can also manipulate website content to provide incorrect instructions or directions to visitors. Becoming compromised in this way is especially dangerous if hackers can overtake government websites or resources during emergency events, ultimately misdirecting people on how and where to proceed in times of crisis.

Unfortunately, XSS flaws can be challenging to identify, especially if the user lacks computer programming knowledge. Even skilled developers rarely check code from trusted sites. Once injected, it is often very challenging to remove the malicious code from the application for Stored XSS attacks.

Expert Tip

In this video CrowdStrike will illustrate Falcon using multiple detection capabilities to prevents script-based attacks. Watch: How Falcon Prevents Script-Based Attacks

XSS Prevention

It’s crucial to ensure your organization is not vulnerable to XSS attacks. Script-based and other fileless attacks have increased in recent years because they can avoid detection by new and old security tools, including antivirus software and firewalls.

To maintain a secure website, organizations’ web teams should work cross-functionally with their cybersecurity team or with a trusted cybersecurity partner to help them assess the risk of XSS attacks on their corporate site.

Managing a safe and secure website on the client and server-side typically requires a vulnerability management solution to continuously monitor the site for any vulnerabilities. An excellent way to do this is to acquire a SecOps champion, someone within the cybersecurity team who will work with web developers and others in your web team to offer best security practices when developing and maintaining a website. The security champion can also provide insights on critical weaknesses or vulnerabilities that could leave your website open to XSS attacks.

Additionally, by working with your cybersecurity team, you should consider these practices to create a secure and safe web environment:

  • Perform manual penetration testing in select areas that have a high chance of exploitation.
  • Limit users’ ability to submit content to the company’s website and other resources, such as forums, blogs, or member groups.
  • If allowing user inputs, filter all content on arrival using stringent parameters; Encode data at the output stage.
  • Prevent malicious code from being injected in responses that should not contain HTML or JavaScript code.
  • Provide continual cybersecurity training and development opportunities for your IT team, as well as developers, computer programmers, and computer engineers, to ensure they are aware of the risks of XSS and can adequately address them by design.

Learn More

Learn about our modern, cloud-native vulnerability management (VM) with instant visibility and zero scanner overhead to effectively bridge security collaboration gaps. Explore:CrowdStrike Falcon® Spotlight


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.