Web Security

XSS (Cross-Site Scripting)

About 4 min read

Last updated: 2026-03-10

What Is XSS (Cross-Site Scripting)

XSS (Cross-Site Scripting) is an attack technique that exploits vulnerabilities in web applications to execute malicious JavaScript in a user's browser. Because the injected script runs in the context of the legitimate site within the victim's browser, it can cause extensive damage including cookie theft, session hijacking, redirection to phishing pages, and keystroke logging.

XSS has been a staple of the OWASP Top 10 for many years and is one of the first security risks that web application developers should understand.

Three Types of XSS

XSS is classified into three types based on how the attack works.

Reflected XSS

This occurs when data submitted by the user (URL parameters, form inputs, etc.) is reflected directly in the server's response. The attacker crafts a URL containing a malicious script and tricks the victim into clicking it. A typical example is displaying input values without escaping on search result pages or error messages.

Stored XSS

A malicious script is stored in the server's database and executed every time another user views that data. Targets include forum posts, user profiles, and comment sections. Unlike reflected XSS, the victim does not need to click a specific URL, so the impact is broader.

DOM-Based XSS

This occurs on the client side when JavaScript manipulates the DOM (Document Object Model). User input is inserted into the DOM in an unsafe manner through document.location, document.URL, innerHTML, and similar APIs. Because the malicious code is not present in the server's response, it cannot be detected in server-side logs.

Specific Attack Scenarios

Let's look at specific scenarios to understand how XSS attacks are carried out.

Session Hijacking via Cookie Theft

An attacker posts a script on a forum. When other users view the post, the session cookie stored in their browser is sent to the attacker's server. The attacker uses that cookie to take over the victim's session and operate the site as if logged in as the victim.

This attack can be prevented if the HttpOnly attribute is set on the cookie, which blocks JavaScript access. However, many sites still do not set HttpOnly.

Phishing Form Injection

XSS is used to display a fake login form on a legitimate site, stealing the user's credentials. Since the URL remains on the legitimate domain, it is extremely difficult for the user to notice the fake form.

Defenses and Implementation Best Practices

XSS countermeasures are fundamentally based on defense in depth, combining input validation, output escaping, and browser protection features.

  • Thorough output escaping: Apply appropriate escaping for the output context - HTML, JavaScript, URL, CSS, etc. In an HTML context, convert <, >, &, ", and ' to their entity equivalents
  • Implementing CSP (Content Security Policy): Prohibit inline script execution and allow only scripts from permitted domains. Even if XSS occurs, the attacker's script execution can be blocked
  • Cookie HttpOnly attribute: Set HttpOnly on session cookies to block JavaScript access
  • Input validation: Verify that user input matches expected formats (numbers, email addresses, etc.). However, input validation alone cannot fully prevent XSS, so it must be combined with output escaping
  • Template engine auto-escaping: Frameworks like React, Vue, and Angular escape output by default. Minimize use of dangerouslySetInnerHTML (React) or v-html (Vue)
  • Security header configuration: Prevent MIME type sniffing with X-Content-Type-Options: nosniff

Detecting XSS patterns with a WAF is also effective, but WAFs can be bypassed, so they should not replace application-level countermeasures.

To learn more about this topic, see HTTP Security Headers: 5 Essential Headers to Protect Your Website.

Common Misconceptions

XSS is a minor vulnerability that only defaces the appearance
XSS can lead to serious damage including session hijacking, credential theft, malware distribution, and admin privilege escalation. Stored XSS in particular affects every user who visits the site, making its impact extremely broad.
Validating input is enough to prevent XSS
Input validation is just one layer of defense. Attackers bypass validation through encoding conversion, Unicode normalization, context switching, and other techniques. The fundamental countermeasure is context-appropriate escaping at output time, combined with CSP.

XSS vs. CSRF Comparison

XSS

Executes the attacker's script in the victim's browser. Exploits the site's trust in the user. Countermeasures include output escaping and CSP. Primary damage includes cookie theft and session hijacking.

CSRF

Forges legitimate requests from the victim's browser. Exploits the user's trust in the site. Countermeasures include token verification and SameSite cookies. Primary damage is execution of unintended actions.

Share

Related Terms

CSP (Content Security Policy) An HTTP response header that provides a powerful mechanism for restricting the s… Security Header HTTP response headers sent by a web server that instruct the browser to enforce … CSRF (Cross-Site Request Forgery) An attack that tricks a user's browser into sending unintended HTTP requests to … WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… Clickjacking An attack technique that overlays a transparent or disguised iframe containing a… Browser An application for displaying web pages. Interprets HTML, CSS, and JavaScript fr…

Related Articles

HTTP Security Headers: 5 Essential Headers to Protect Your Website An introduction to important HTTP security headers including Content-Security-Policy, Strict-Transpo… API Security Basics: Protecting the Backend of Web Services Learn how APIs can be exploited and the fundamental security measures like authentication, authoriza… What Is a Browser - How It Works and How to Stay Safe Learn how browsers work, compare major browsers, understand how web pages load, explore privacy feat…
← Glossary