What is Cross-site Scripting?

What is cross-site scripting? How to prevent it from happening to your website? Read on and you will find out this and much more.

Updated: 14 Apr, 23 by Antoniy Yushkevych 6 Min

List of content you will read in this article:

Cybersecurity is something every website owner should implement into their site. Statistics show that most cyberattacks are actually carried out on small to medium-sized sites as they are the ones that will most likely not have the proper security measures in place. Today we will learn a little about a specific type of attack that is especially popular amongst hackers.

There are numerous ways that a site’s security can be compromised. One possible method of attack is an injection attack (i.e. the attacker provides untrusted input to a program). The two most common types of injection attacks are SQL injection (SQLi) and Cross-site Scripting (XSS) attacks. Today we will discuss the latter and how to protect your site from XSS vulnerabilities.


Cross-site Scripting is a type of computer security vulnerability that allows attackers to inject client-side scripts into webpages viewed by other users. The attack is carried out when the victim actually visits the compromised web page. The malicious code inserted by the attacker is sent to the victim inside the page’s HTML file and is then executed by the browser. XSS vulnerabilities are most frequent in forums, message boards, and websites that allow comments, however, are not limited to these styles of sites.

In fact, any web page or application that generates un-sanitized user input in its output is considered vulnerable. Certain incompetent website admins might say that since XSS is executed on the client-side, it is not the site’s problem. Despite their claims, their website acts as the delivery method of this malicious code, thus ignoring these vulnerabilities displays professional negligence. Cross-site scripting could also be used in order to deface a certain site by changing its content or redirecting to malicious pages, thus attacking the site directly, not only its users.


The ability to execute code in another user’s browser provides the attacker with the capability to execute the following types of attacks:

  • Phishing: inserting fake login forms into sites, tricking other users to willingly hand over their sensitive information.
  • Keylogging: using addEventListener, the attacker can register all of the user’s keystrokes and forward the logs to his own server.
  • Cookie theft: the attacker can retrieve the victims’ cookies associated with the website, thus retrieving sensitive information such as session ID and more.

Although these are completely different attack methods, they are all done by executing JavaScript code in a victim’s browser and thus are considered Cross-site Scripting attacks.


There are also three ways in which the hacker could inject the malicious code into the site and they are:

Stored (a.k.a. Persistent) XSS:

These types of XSS attacks are carried out when the injected code is permanently stored on the target server. The victim then retrieves the script when he requests stored info.

Reflected (a.k.a. Non-Persistent) XSS:

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website.

DOM-based XSS:

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data to a potentially dangerous sink within the DOM.


Likewise, there are 3 main ways to prevent XSS attacks:


Now, this method is a must for any website. Escaping data means taking the data the application has received and making sure it’s secure before rendering it for the user. Basically, it is censoring certain symbols from being interpreted in a malicious way. Some good examples of it are: < and > symbols as the attackers could use them to inject malicious code.


This is not considered to be a primary XSS injection prevention method, however, should reduce the effects of an attack if a vulnerability is found. Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. While whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.


This method is an effective way to prevent cross-site scripting attacks, however, should not be used alone. There are many trusted filters online that you could use to sanitize user input. It is especially important in sites that allow HTML markup to guarantee that the received data can do no harm, changing unacceptable user input into a safe format.

Of course, in order to properly implement any or all of these methods, sufficient cybersecurity knowledge is required, and we do not recommend you try and do it on your own unless you have said skills.


Cross-site scripting is one of the most popular methods that hackers use to carry out cyberattacks. We hope you have learned more about XXS attacks, how they are done, and how to protect your site from falling victim to such a threat.  If you have any questions or suggestions, please leave them in the comment section down below.

Antoniy Yushkevych

Antoniy Yushkevych

Master of word when it comes to technology, internet and privacy. I'm also your usual guy that always aims for the best result and takes a skateboard to work. If you need me, you will find me at the office's Counter-Strike championships on Fridays or at a.yushkevych@monovm.com