Cross-site scripting

Updated: 11/04/2017 by Computer Hope

Abbreviated as XSS, cross-site scripting is a vulnerability that allows an attacker to insert malicious code (JavaScript) into a website script. Once a script has been found to be vulnerable the attacker can e-mail or post a link to that website script to attack a user's computer.

What can a hacker do with cross-site scripting?

  • Execute JavaScript code.
  • Access cookies stored on a computer to gain access to the victims account.
  • Create fake login pages that steal login details.
  • Access webcams and microphones connected to a computer.
  • Bypass website security designed to protect you and your computer.
  • Create a script that loops or causes other problems that cause the browser to crash.
  • Help other computers perform a DDoS attack on another server.
  • Give the appearance of the site being defaced.
  • Help distribute spam, transfer money, or perform other actions on a user's account.

How users can reduce being a victim to cross-site scripting

  • Always be cautious with links sent by e-mail and posted on social networks.
  • Never click on a link reporting to be from any financial service or other sensitive site. If your bank, credit card, or related service is wanting you to click on a link open your browser and enter the web address in the address bar.
  • Familiarize yourself with phishing tactics.
  • When done with your online account log out.
  • Keep your browser up-to-date with the latest version.
  • Familiarize yourself with all of the ways to protect yourself while on the Internet.

How WebMasters can reduce the threat of cross-site scripting

  • Always assume any data submitted to a script is malicious.
  • Properly encode, escape, and sanitize the submitted data.
  • Escape a quote (") with " and a single quote (') with ' to prevent escaping an escape.
  • Only accept data that you need. For example, if a field is for a name only accept the letters A through Z and strip any numbers and other characters.
  • Never accept and run JavaScript code from an untrusted source.
  • Never place accepted data into a <!--, <script>, <style>, div attribute, or tag name attribute.
  • If using cookies, use HttpOnly.
  • Download and test sites using Zed Attack Proxy (ZAP).

As an example, a developer could test any online form for XSS by adding any HTML or JavaScript into a forum field and see if it the script returns results with the HTML or JavaScript. For example, adding "<script>alert()</script>" to a forum field should not return a JavaScript alert box. If a page does return an alert box it is vulnerable to an XSS attack.

Cookie poisoning, Security terms, Web design terms