Home/ Glossary/ Cross-Site Scripting

Cross-Site Scripting (XSS)

Security Glossary - Web Security

Definition: Cross-Site Scripting is a vulnerability that allows attackers to inject malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as the legitimate site, enabling the attacker to steal session cookies, redirect users, deface pages, or capture keystrokes.

At a Glance

  • Attacker injects malicious scripts into web pages viewed by other users
  • Three types: Stored (persistent), Reflected (non-persistent), DOM-based
  • Primary defense: output encoding and Content Security Policy
  • Can steal session cookies, redirect users, or modify page content
  • Consistently in OWASP Top 10 since its inception

Why XSS Matters

XSS is consistently one of the most common web vulnerabilities, appearing in the OWASP Top 10. It occurs when an application includes untrusted data in web pages without proper validation or escaping. There are three main types: stored XSS (malicious script saved in a database), reflected XSS (script in a URL parameter reflected in the response), and DOM-based XSS (script manipulation of the client-side DOM).

The impact of XSS ranges from nuisance (page defacement) to critical (session hijacking, credential theft). An attacker exploiting XSS on a banking site could transfer funds. On a social media site, they could spread malware to all of a user's contacts.

Defenses include Content Security Policy (CSP) with nonce-based script controls, output encoding (HTML-escaping user input before rendering), input validation, and using modern frameworks (React, Vue, Angular) that auto-escape output by default. CSP is the strongest server-side defense because it prevents injected scripts from executing even if escaping is missed.

Real-World Example

In 2018, a stored XSS vulnerability in British Airways' website allowed attackers to inject a malicious script that captured payment card details as customers entered them. The Magecart group exploited the flaw for over two weeks, compromising approximately 380,000 payment cards. BA was fined 20 million GBP by the ICO under GDPR.

How to Check

A security audit checks for CSP headers that help prevent XSS. Proper CSP with nonce-based policies blocks most XSS attacks at the browser level. For application-level XSS testing, use specialized security scanning tools.

Run a Security Audit

Frequently Asked Questions

Does CSP prevent all XSS attacks?
A strict nonce-based CSP prevents most XSS by blocking inline scripts without valid nonces. However, it cannot prevent DOM-based XSS that manipulates existing trusted scripts, or XSS through CSS injection. CSP is a critical defense layer but should be combined with proper output encoding.
Are modern JavaScript frameworks immune to XSS?
Frameworks like React and Angular auto-escape output by default, making accidental XSS much harder. However, they all have escape hatches (like React's dangerouslySetInnerHTML) that bypass protections. Developers must still be careful with these APIs.

Related Terms

Content Security Policy Nonce-Based Content Security Policy strict-dynamic CSP Directive X-XSS-Protection Security Headers Overview
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.