Select language
Avast Academy What is Cross-Site Scripting (XSS)?

What is Cross-Site Scripting (XSS)?

XSS is a type of website vulnerability that lets attackers place malicious scripts into otherwise trustworthy web pages and apps. Using XSS, hackers can freely disseminate their malware to countless people.


What is cross-site scripting?

XSS attacks target the code (otherwise known as the script) in a web page that is executed in the user's browser, rather than on the website’s server. When you’re attacked, your browser is injected with malicious scripts that will try to harm your computer. There is an almost limitless variety of XSS attacks but most try to harvest personal data, redirect victims to websites controlled by the hacker or make your PC perform operations on behalf of the hacker.

Hamburguer menu icon

This article contains:

    How do XSS attacks happen?

    Websites store data and send information to your browser all the time: XSS attacks happen when untrusted sources send users malicious content via vulnerabilities in the websites to your browsers that will then go on to steal your data or harm your PC. For example: when a user searches for something online, the website will then send information to the browser in the form of search results. In a XSS attack, the information they send back can contain malware that might steal your data. Because nearly every website requires storing and sending data to browsers, XSS is the most common security vulnerability in software today.

    How can you recognize a XSS attack?

    Unfortunately, your browser has no way of knowing if a script should not be trusted and will automatically execute any scripts it receives. This means that malicious scripts can access any sensitive information that the browser has stored, or has saved on the webpage. This makes XSS attacks pretty much impossible to recognize.

    How can you remove XSS vulnerabilities?

    It’s the job of the owner of the website to find and remove XSS vulnerabilities since that’s where the malicious code lurks, infecting unwitting visitors. Asking people to protect themselves by avoiding suspicious websites doesn’t work in this case as these vulnerabilities affect all websites, trusted and untrusted ones alike. Fortunately, there are tools online you can download to scan websites to check for XSS vulnerabilities.

    How to prevent a cross-site scripting attack

    • Install top-rated antivirus software on your computer

    • Set your software settings to update automatically

    • Download a scanner which can check for vulnerabilities in a website’s code

    Protect yourself against a cross-site scripting attack

    In order to protect yourself from an XSS attack, it’s not enough to avoid untrusted websites. To keep any infections from spreading onto your PC and doing untold damage to your machine or stealing your data, it’s good to have a top-rated antivirus installed, such as Avast Antivirus.