Examine different types of cross-site scripting attacks

And learn methods to deter them




Cross-Site Scripting (XSS)

by Nikita Gupta, Analyst, IBM


Cross-site scripting (XSS) occurs when a browser renders user input as a script. Any website accepting user input without validation is vulnerable to XSS attacks. If the input contains malicious code, the malware can trick the targeted browser into performing any action it dictates, including the display of malicious content or the theft of the victim's credentials or personal information. Moreover, by stealing login information, XSS attackers can access restricted data on an organization's server or illegally obtain free access to content. These vulnerabilities can negatively impact a company's brand and bottom line.

Some kinds of XSS attacks are:

Stored: The malicious script is stored on the server and infects any visitor.

Reflected: The script is included as part of an apparently harmless URL, emailed or sent as search results or error messages to the victim. When the link is clicked, the browser executes the script.

DOM-based: Attacks do not visit the server at all. Instead, the malware scripts modify the victim's Document Object Model (DOM) when they are injected through client-side code, such as JavaScript.

Recent studies have noted a drop in XSS attack activity between 2011 and 2014, owing to efforts to find and patch vulnerabilities. Organizations, however, should not become complacent. White Hat Security still estimates that any given site has a 47.9% likelihood of being susceptible to XSS attacks. Cross-site scripting remains a favorite target of attackers, who are quick to exploit weaknesses wherever they find them. To protect an organization's network from XSS attacks, administrators can do the following:

  • Sanitize or validate input
  • Perform a thorough code review to identify possible vulnerabilities
  • Disable HTTP trace, which can enable attackers to steal cookie data

Users can also help avoid breaches by exercising care when clicking on links in websites, emails, or messages. When in doubt, type in URLs directly.

Download this threat alert.

Downloadable resources

ArticleTitle=Examine different types of cross-site scripting attacks