Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags

network security
xss
attack
injection

What is Cross-site scripting (XSS)?

Anusheh Zohair Mustafeez

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

Cross-site scripting (XSS) is a web security vulnerability that allows attackers to inject malicious JavaScript code into trusted websites. XSS attacks are initiated when an attacker sends a malicious script to an unsuspecting user over a web application. Since the user is unaware that the script carries harmful code, they interact with their browser and execute the script.

This malicious script can now collect cookies and other sensitive information from the user’s session without them knowing. The attacker can then use this collected information to wreck havoc for the user. Since the injected script can change HTML content on the website as well, both websites and users are at risk.

svg viewer

How does XSS work?

XSS attacks thrive on one small mistake by a website’s designer: unescaped user input. Sites often interact with users by taking information through text fields. Attackers can inject JavaScript code embedded in HTML tags into these text fields. If this has not been taken into account during web design, the code will be executed in the browser like standard JavaScript. This JavaScript snippet is now part of the website’s HTML and, as soon as a user interacts with it, they will become vulnerable.

svg viewer

Below is an example of vulnerable HTML in a site that takes user input to collect their lunch order:

<% String order = request.getParameter("ord"); %>
    ...
    Lunch: <%= order %>

In the script above, order stores user input. If a user enters a script, <script>alert('XSS Attack!')</script>, instead of text into the browser, this script will become part of the website’s HTML:

    Lunch: <%= <script>alert('XSS Attack!')</script> %>

Now, when a user visits the website, they will see the alert message, “XSS Attack!”.

How to prevent XSS attacks

Good web design can protect both users and websites from irreparable damage. XSS attacks can be prevented by:

  1. Making sure all user input is escaped correctly. This means ensuring that input is treated as text and not executable HTML.
  2. Making sure proper input sanitization is in place If the website needs user input in HTML form.
  3. Setting the HttpOnly flag for cookies so that client-side JavaScript cannot access them.

RELATED TAGS

network security
xss
attack
injection

CONTRIBUTOR

Anusheh Zohair Mustafeez
Copyright ©2022 Educative, Inc. All rights reserved

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

Keep Exploring