While cross-site scripting (XSS) is a website vulnerability that’s existed since the 1990s, XSS is still prominent today. Cross-site scripting is one of the most commonly detected vulnerabilities in Verizon's 2020 Data Breach Investigations Report and has been listed as one of the Open Web Application Security Project's top 10 vulnerabilities since its first publication.
Here's a closer look at the challenge of how to mitigate cross-site scripting.
What is cross-site scripting?
With cross-site scripting, an attacker injects their own code onto a legitimate website; the code then gets executed when the site is loaded onto the victim's browser.
How does cross-site scripting work?
XSS works because web browsers inherently trust that the code behind the websites they load will be "normal" and secure. In popular XSS attacks, malicious code is either added to the end of a URL or posted directly onto a page that displays user-generated content.
These attacks succeed because vulnerabilities are widespread and can happen whenever a web application fails to validate or encode user input. In many cases, the unsuspecting user's browser will trust—and therefore execute—the malicious script.
What is cross-site scripting's aim?
An XSS attack's primary goal is to take over access to the user's resources or data. With the right access, the attacker can read data, impersonate the user, intercept confidential data or even make website changes.
What are the risks of cross-site scripting?
The risks of an XSS are dangerous yet straightforward. A successful attack allows the attacker to perform all the available actions of the target user in a web application—including sending messages, capturing keystrokes or conducting financial transactions. XSS scripts may access cookies or session tokens or other sensitive browser data.