Avast Academy Security Hacking What Is Cross-Site Scripting (XSS)?

What Is Cross-Site Scripting (XSS)?

Cross-site scripting, also known as XSS, is a cyberattack that happens when a hacker injects malicious code into a legitimate website. Learn where XSS attacks come from and how they work, then find out how to protect yourself against all types of online threats with a top-tier security solution like Avast One.

Editors' choice
Top Rated
Written by Ivan Belcic
Published on July 9, 2020

XSS attacks are a type of code injection attack, a broad category of cybercrimes. To perform one of these injection attacks, a hacker adds — injects — their own code into a vulnerable program. Some attacks completely alter the program’s execution, while others add additional results, such as downloading malware onto a victim’s computer or stealing personal data.

Hamburguer menu icon

This Article Contains :

    How does cross-site scripting work?

    In computer programming, a script is a series of instructions that tells a program what to do. Hackers can exploit vulnerabilities in a website’s code to inject their own malicious scripts that change the website’s behavior in some way.

    Your browser can’t tell the difference between the website’s legitimate code and anything that has been injected by a cybercriminal. Your browser automatically executes all the scripts on a given website, so it will run the hacker’s code along with everything else.

    XSS lets hackers turn legitimate websites into traps. Normal browsing turns dangerous when you land on a site that’s infected with hidden malicious scripts. Even worse, XSS means the hacker doesn’t have to attack each victim directly — they can sit back and let the infected websites do all the work — reaching far more people simultaneously.

    HTML, JavaScript, and web applications: oh my!

    Behind every website is a bunch of code written in a markup language called HTML. Computer programs, such as web applications, use markup languages to distinguish code from normal text.

    With cross-site scripting attacks, hackers can exploit vulnerabilities in a website’s code to inject malicious scripts that change the website’s behavior.

    A web application is a remotely-stored program delivered to you on your computer via your internet browser. Common examples include webmail services and e-stores. As you feed input into the web app, it interprets and acts on your requests back on its server, then relays the results to you in your browser. The difference between web applications and native apps is that the latter are “traditional” programs that are installed and run fully on your device.

    Websites written solely in HTML can’t dynamically adjust to user input. So, to let web applications do their thing, programmers blend HTML with additional languages such as JavaScript — a more advanced language that allows sites to react in real time to your commands. If you’re browsing a clothing shop, say, and you choose to view “sweaters” from a drop-down menu, JavaScript tells the website to show you all the sweaters, and only the sweaters, that you can buy.

    While HTML is hosted server-side, JavaScript runs on your machine (known as client-side operation). Most XSS attacks use HTML or JavaScript, and that difference is critical for understanding how the different types of XSS attacks work.

    What can a cross-site scripting attack do?

    XSS attacks aren’t usually as dangerous as other types of code injection attacks, such as SQL injection. Browsers tend to keep JavaScript content on a tight leash, but a skilled hacker can work within these confines to tap into a range of user data. Many XSS attacks aim to hijack the victim’s session cookies when they view the infected website. With these cookies, the hacker can act on the victim’s behalf and access their personal information, such as usernames and passwords, to use in further cybercrimes. On an e-commerce portal, that data might even include credit and debit card numbers. With XSS, a legitimate website can be transformed into a phishing portal. For example, a hacker can use XSS to create a poisoned login form that captures victims’ credentials when they’re submitted. Someone could also inject a keylogger that records the victim’s keystrokes while they’re on the affected page. Malicious scripts can even download malware onto victims’ computers to set the stage for follow-up attacks. Since every website uses HTML, and because most websites also use JavaScript, all a hacker needs to do is find one they can exploit. That’s why XSS is one of the most prevalent security vulnerabilities in software today. Not only is XSS so widespread, it’s also incredibly hard to detect, because hackers can insert malicious code into otherwise legitimate sites. The owners of these trustworthy websites may not spot or be able to remove the malicious code for some time. Rather than waiting for XSS code to be removed — or being paranoid about every site out there — the best remedy is to use a robust cybersecurity tool.

    Avast One helps to stop XSS in its tracks, so you’re never at risk of giving away your personal info to a hacker. It also provides 24/7 protection against malicious links, infected email attachments, and all the other online threats out there.

    What types of cross-site scripting attacks are there?

    There are three basic categories of XSS attacks. The first two — reflected and stored — involve code manipulation on the web application server, while DOM-based XSS attacks are a newer category that function exclusively on the victim’s device.

    Reflected cross-site scripting

    Reflected XSS is the simplest and most common of the three types of XSS attacks. It’s the easiest to execute, and (as is usually the case in these situations) it’s also the easiest for you to detect and avoid. In fact, it’s the only type that you can reasonably hope to detect on your own, without the aid of antivirus software. Also known as non-persistent attacks, reflected XSS requires victims to click malicious links already primed with the hacker’s script. The victim’s browser sends the loaded request to the website’s server, and it’s then “reflected” back to the victim via an infected page. The hacker doesn’t have to breach the website itself, but they do need to convince potential victims to click their infected links. It’s a trade-off between technical wizardry and feats of social engineering.

    Stored cross-site scripting

    Whereas reflected XSS attacks must be actively initiated every time via a malicious link, stored XSS overcomes this limitation. Stored XSS allows hackers to permanently inject their scripts directly into a website, infecting each user who visits it. That’s why they’re also known as persistent cross-site scripting attacks. Stored XSS attacks are more complicated than their reflected counterparts, because a hacker must identify a website with:

    • Enough traffic to be worth attacking, and

    • A security vulnerability that can be targeted with stored XSS attacks.

    But if a hacker can pull it off, they’re able to affect a much wider range of potential victims — anyone who views an infected site will have the malicious scripts delivered to their browser. It’s for this reason that stored XSS is nearly impossible to detect. There aren’t any warning signs to raise suspicions until it’s too late.

    DOM-based cross-site scripting

    In DOM-based XSS attacks, hackers modify the interaction between your browser and the websites you visit, altering the way those websites reflect your input back to you. Whereas reflected and stored XSS attacks affect server-side HTML, DOM-based XSS attacks skip all that and focus exclusively on what your browser is doing. Remember from above how most sites use JavaScript to enable dynamic functionality? It’s JavaScript that handles things on your end and tells the website how to react to your commands. If a hacker can intercept the process by which your client-side JavaScript conveys your input to the web application, they can make changes to the way the app executes within your browser.

    How can I prevent cross-site scripting attacks?

    By design, scripts are automated procedures that don’t need any input from you to execute. This automation makes most XSS attacks impossible to detect, since your browser won’t know which scripts are legitimate and which have been injected by a hacker. Reflected XSS attacks are an exception to the rule — it’s possible to avoid these as described above. Otherwise, it’s the responsibility of a website’s admin to find and plug any XSS vulnerabilities before they can be exploited to target users.

    Defending against reflected cross-site scripting attacks

    With reflected cross-site scripting, the attacker’s challenge is to trick the victim into clicking a poisoned link. But that also gives you a chance to sidestep this type of XSS attack, unlike the other two types. You can avoid reflected XSS attacks by following one of the internet’s most hallowed best practices: don’t click suspicious links.

    Avoid cross-site scripting attacks by not clicking on suspicious links.

    Ignore links that you find in:

    • Website comment sections, forums, and message boards.

    • Emails and instant messages from unknown senders.

    • Social media posts from people you don’t know.

    • Suspicious messages from your contacts that don’t sound like them — they may have been hacked.

    But even those tips aren’t foolproof. For example, hackers can use spoofing to make it seem as though their communications are being sent to you from trusted contacts. Or, they can trick you into clicking with effective social engineering chicanery. Always keep your guard up when it comes to the internet.

    Protect against cross-site scripting with Avast One

    XSS attacks are notoriously difficult to detect, and you can’t rely on your browser to keep you safe. Take an active stand against cybercriminals by using a powerful security solution designed to detect and prevent threats of all stripes.

    Avast One is a comprehensive cybersecurity tool trusted by hundreds of millions of people all around the world. By continually monitoring your device and network connection for any hints of trouble, Avast safeguards your valuable data against even the sneakiest hacking techniques.

    Get Avast One for iPhone to help block hackers and malware

    Free install

    Get Avast One for Android to help block hackers and malware

    Free install
    Ivan Belcic