Cross-site scripting (XSS) is an attack against a web application that uses a server to deliver a malicious script to a user's web browser. Attackers use this method to identify and infect a vulnerable website first, rather than directly attacking the end user. Once the website is infected, visitors unknowingly download the script, which their browser then executes. An XSS generally performs actions such as data exfiltration and session hijacking when it executes.
Many issues can arise when an XSS compromises a web page. The most common of these include:
XSS generally becomes more detrimental to an organization the longer it remains on the website. Long-term infection is particularly damaging to the host organization's reputation and relationships with its clients. The Magecart XSS was responsible for one of the best-known attacks of this type, which first occurred on a large scale during the 2018 holiday shopping season. This XSS was able to inject itself into many online check-out sites, where it retrieved user credit card information. Magecart probably uploaded this information to a server, allowing the attackers to use it for fraudulent purposes themselves or sell it to other criminals.
XSS attacks may be classified into the following types:
A reflected XSS attack uses a website client's own browser to send the malicious script to the server. This type of attack is also known as a non-persistent XSS attack since the script isn't stored on the server. An attacker can conduct a reflected XSS attack by creating a URL that passes the malicious script in the form of a search parameter to a website with a vulnerable search page. This URL would have the general form of
The next step is to trick users into visiting this URL, often by sending them a phishing email containing the URL as a clickable link. Another tactic is to simply publish the URL on a public page. Once a user clicks the link, the website accepts the search parameter under the assumption that the user is searching for something. However, this parameter is actually the malicious script, which the webserver then injects into the page, causing the user's browser to execute it.
A server stores the malicious script in a persistent XSS attack, unlike a reflected attack. In this case, an attacker could post a message on a forum that the target website hosts. The post contains the script, which a user's browser loads and executes when the user visits that page. A persistent XSS attack treats all site visitors as targets, whereas a reflected attack only targets specific users.
A Domain Object Model (DOM) XSS exploits vulnerabilities in the scripts that a server provides for visitors. This type of XSS doesn't directly deliver the malicious script to the target's browser, as is the case with the other types. However, a DOM-based XSS is similar to a reflected attack in that the server doesn't store the script. While these two types could use the same setup as described in the reflected XSS section above, the server wouldn't generate the web page with the malicious code in the case of a DOM-based XSS. Instead, the target's browser would directly load and execute the script when rendering the search page.
The most effective way of defeating XSS attacks is to sanitize user input. This technique primarily involves encoding the server's output to prevent the user's data from automatically causing the browser to load and execute code. Validation of that data is also necessary for detecting malicious user data, which requires the use of a web application scanning tool. A browser's content security policy can help prevent XSS attacks by providing multiple levels of risk mitigation.