Quartz 4

Cross-Site Scripting

2 min read

At its core, XSS is a code injection vulnerability where an attacker executes malicious scripts (usually JavaScript) in a victim’s web browser. It happens because a web application takes untrusted data and sends it to a web browser without properly validating or encoding it first.

Why is it called “Cross-Site”?

The name comes from the original way the exploit was used: a script from one site (the attacker’s) “crosses over” to execute in the context of another site (the victim’s). This allows the script to bypass the Same-Origin Policy (SOP)—the security wall that usually prevents a script on attacker.com from reading data on your-bank.com.

The Three Main Types

As you’ve noted in your recent questions, XSS is generally categorized into three types:

  1. Stored XSS (Persistent): The script is permanently stored on the server (database, comment section).

  2. Reflected XSS (Non-Persistent): The script is “bounced” off the server via a URL or form submission.

  3. DOM-based XSS: The entire vulnerability exists in the client-side code (the Document Object Model) rather than the server-side code. The server never even sees the malicious script; it is handled entirely by the victim’s browser.

What can an attacker do with XSS?

In your pentesting lab, you’ve likely seen how powerful a simple script can be. Once a script runs in a user’s browser, the attacker can:

  • Steal Session Cookies: This is the most common goal, allowing the attacker to hijack the user’s logged-in session.

  • Keystroke Logging: Capture everything the user types on that page (passwords, credit card numbers).

  • Phishing/Defacement: Change the content of the page to show a fake login form or spread misinformation.

  • Forced Actions: Make the user perform actions they didn’t intend to, like changing their password or deleting their account.

How to Stop It (The Analyst’s View)

Since you are pursuing your CySA+ and WGU degree, you’ll need to know the remediation steps:

  • Output Encoding: Convert characters like < into &lt;. This tells the browser “Display this as a bracket, don’t treat it as a script tag.”

  • Input Validation: Filter out dangerous characters or only allow “Known Good” input (Allowlisting).

  • Content Security Policy (CSP): A modern browser security layer that tells the browser which scripts are allowed to run, effectively blocking most XSS attacks even if a vulnerability exists.

Graph View

Backlinks