- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Cross site scripting (XSS) occurs when a user injects malicious script into an otherwise trusted website. The malicious script will then run on the victim’s web browser, often in an attempt to steal user information such as credentials, session cookies and other sensitive data. Anywhere that allows user input can be vulnerable to an XSS attack. To avoid these attacks a web developer must ensure that user input is validated and encoded before it outputs this as a request. Despite being discovered in the 1990s cross-site scripting has consistently remained as one of OWASPs top 10 web application security risks.
There are 3 types of cross site scripting.
In order to prevent XSS vulnerabilities use frameworks that escape XSS by design, use context based encoding, escape untrusted HTTP request data and enable a content security policy.
A cross site scripting vulnerability abuses the trust a user has for a website whereas a CSRF vulnerability abuse the trust a website has for a user. Cross-site scripting is one of the most common web vulnerabilities and can lead to phishing attacks, website defacement, session hijacking and installation of malware on a victim’s computer.