What Is Cross Site Scripting (XSS) and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

Table of Contents

What is cross-site scripting?
How does cross-site scripting work?
What are the approaches to cross-site scripting?
How can you avoid XSS vulnerabilities?
What to read next

Definition

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can steal the user’s active session cookie.

Software Vulnerability Snapshot

The latest report highlights persistent vulnerabilities in web and software application security, including information disclosure/leakage, misconfigurations, and insufficient transport layer protection. The report also emphasizes the risks of vulnerable third-party libraries and the importance of software supply chain security.

Read the report

How does cross-site scripting work?

Here’s an example.

While the payload is usually JavaScript, XSS can take place using any client-side language.

To carry out a cross-site scripting attack, an attacker injects a malicious script into user-provided input. Attackers can also carry out an attack by modifying a request. If the web app is vulnerable to XSS attacks, the user-supplied input executes as code. For example, in the request below, the script displays a message box with the text “xss.”

http://www.site.com/page.php?var=<script>alert('xss');</script>

There are many ways to trigger an XSS attack. For example, the execution could be triggered automatically when the page loads or when a user hovers over specific elements of the page (e.g., hyperlinks).

Potential consequences of cross-site scripting attacks include:

Capturing the keystrokes of a user
Redirecting a user to a malicious website
Running web browser–based exploits (e.g., crashing the browser)
Obtaining the cookie information of a user who is logged into a website, thus compromising the victim’s account

In some cases, the XSS attack leads to a complete compromise of the victim’s account. Attackers can trick users into entering credentials on a fake form, which provides all the information to the attacker.

What are the cross-site scripting approaches?

Stored XSS takes place when the malicious payload is stored in a database. It renders to other users when data is requested if there is no output encoding or sanitization.

Reflected XSS occurs when a web application sends attacker-provided strings to a victim’s browser so that the browser executes part of the string as code. The payload echoes back in response since it doesn’t have any server-side output encoding.

DOM-based XSS takes place when an attacker injects a script into a response. The attacker can read and manipulate the document object model (DOM) data to craft a malicious URL. The attacker uses this URL to trick a user into clicking it. If the user clicks the link, the attacker can steal the user’s active session information, keystrokes, and so on. Unlike stored XSS and reflected XSS, the entire DOM-based XSS attack happens on the client browser (i.e., nothing goes back to the server).

How can you avoid XSS vulnerabilities?

It’s important to implement security measures early in an application’s development life cycle. For example, perform software design phase security activities such as architecture risk analysis and threat modeling. It is equally important to conduct security testing once application development is complete.

Strategies to prevent XSS attacks include

Never trust user input. Always perform input validation and sanitization on input originating from untrusted sources as soon as you receive it. To provide comprehensive coverage, both inbound and outbound input handling should be considered.
Implement output encoding. This step is performed prior to writing user-controllable data. Output encoding escapes user input and ensures that the browser interprets it as benign data and not as code.
Follow the defense-in-depth principle. This strategy utilizes a variety of security controls to ensure the safety of your most valuable assets. Multiple walls of defense (controls) ensure that even if one wall is breached, there are others in place for protection from malicious attacks.
Ensure that web application development aligns with OWASP’s XSS Prevention Cheat Sheet. This is a list of tried and tested techniques to prevent XSS. OWASP advises the use of a combination of techniques as an XSS defense mechanism that can be customized for your specific application.
Perform penetration testing to confirm remediation was successful. Seasoned penetration testers can implement the right real-world attack scenarios to ensure that your high-risk XSS vulnerabilities are fortified.

Protect your organization by following secure development guidelines, building security in at all phases of an application’s development. Output encoding is also key to preventing XSS vulnerabilities. Use output encoding libraries that are relevant to the programming languages and frameworks your organization uses. Also, ensure your developers stay up-to-date with XSS prevention best practices.