Cross-site scripting

Updated: 03/10/2024 by Computer Hope

Abbreviated as XSS, cross-site scripting is a vulnerability that allows an attacker to insert malicious code (JavaScript) into a website script. Once a script is found as vulnerable, the attacker can e-mail or post a link to that website script to attack a user's computer.

What can a hacker do with cross-site scripting?

  • Execute JavaScript code.
  • Locate cookies stored on a computer, allowing access the victim's account.
  • Create fake login pages that steal login details.
  • Access webcams and microphones connected to a computer.
  • Bypass website security designed to protect you and your computer.
  • Create a script that loops or causes other problems that cause the browser to crash.
  • Help other computers perform a DDoS attack on another server.
  • Give the appearance of the site being defaced.
  • Help distribute spam, transfer money, or perform other actions on a user's account.

How users can reduce being a victim to cross-site scripting

  • Always be cautious with links sent by e-mail and posted on social networks.
  • Never click a link reporting to be from any financial service or other sensitive websites. If your bank, credit card, or related service wants you to click a link, open your browser and enter the web address in the address bar.
  • Familiarize yourself with phishing tactics.
  • When done with your online account log out.
  • Keep your browser up-to-date with the latest version.
  • Read: How to protect yourself while on the Internet.

How Webmasters can reduce the threat of cross-site scripting

  • Always assume any data submitted to a script is malicious.
  • Properly encode, escape, and sanitize the submitted data.
  • Escape a quote (") with " and a single quote (') with ' to prevent escaping an escape.
  • Only accept data that you need. For example, if a field is for a name only accept the letters A through Z and strip any numbers and other characters.
  • Never accept and run JavaScript code from an untrusted source.
  • Never place accepted data into a <!--, <script>, <style>, div attribute, or tag name attribute.
  • If using cookies, use HttpOnly.
  • Download and test sites using ZAP (Zed Attack Proxy).

Example of testing a form for XSS

A developer could test any online form for XSS by adding HTML (hypertext markup language) or JavaScript into a forum field to see if the script returns printed code or performs the code action. For example, adding the following code to a forum field should not return a JavaScript alert box.

<script>alert()</script>

If a page does return an alert box, it's vulnerable to an XSS attack.

Computer abbreviations, Cookie poisoning, Security terms, Web design terms