Cross-Site-Scripting (XSS)

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Cross-Site-Scripting (XSS)

Cross-Site Scripting is a class of web application vulnerabilities, which is still one of the most common security vulnerabilities in web applications and can be used to compromise the confidentiality, integrity, and availability of the application. In general, XSS vulnerabilities allow an attacker to execute script code in the web browser of the victim and can be used to gain data from users, like cookies or private information. The different types are listed below. It is also possible to trigger actions on websites, redirect to other sites or hide advertisements. A short game with which some options can be seen easily: XSS game


There are two ways to classify XSS attacks. Up until 2012 the types DOM-based (Type 0), stored/persistent (Type I) and reflected/non-persistent (Type II) were used. As these three types can overlap the research community started to use the terms Server XSS and Client XSS from 2012 on.

Server-XSS vs Client-XSS Chart.png

Stored (Type I)

With Stored XSS, also referred to as persistent XSS, the application or API saves uncleaned user input on the server, such as in a database, comment field, visitor log, etc., which then is displayed at a later point in time by another user or administrator, that requested the stored information.

Reflected (Type II)

Reflected XSS is a non-persistent attack and is used to steal session cookies from a user. With Reflected XSS, the application or API includes unchecked and unmasked input from the user as part of the HTML output. If the attack was successful, the attacker could execute arbitrary HTML and a scripting language such as Javascript in the victim's browser. Typically, a user will have to click on a malicious link to do this. The attacker tries to bring this harmful link to the victim, via advertising, e-mail etc.

DOM Based (Type 0)

DOM-based Cross-Site Scripting (XSS) is a type of XSS attack that occurs when malicious code is injected directly into the Document Object Model (DOM) of the web application. DOM-based XSS attacks can occur when user-supplied data is used to generate client-side JavaScript code without proper input validation. The malicious code is then sent to a user's browser, where it is executed. DOM-based XSS attacks can be used to gain access to sensitive information, perform malicious activities, and even hijack the user’s browser.


The prevention of these vulnerabilities are the task of the programmer. The programmer should be encouraged to use secure programming measures, like Context-sensitive server-side output encoding, to ensure that it is not possible to inject malicious scripts into the site through incorrect or unchecked entries.

  • Input validation: The most effective way to prevent cross-site scripting attacks is to perform rigorous input validation. This means validating any user input before it is accepted and processed by the server.
  • Output encoding: Output encoding is another effective way to prevent cross-site scripting. This technique involves encoding all output data (using HTML entities) so that it is properly displayed in the user’s browser.
  • Content Security Policy: Content Security Policy (CSP) is a security measure that can be used to prevent cross-site scripting attacks. It is a set of rules that define what type of content a website can load.
  • Use of tokens: Tokens are random strings of characters that are used to identify a user. This can help to prevent cross-site scripting attacks by ensuring that only authorized users can access the website.
  • Disabling script execution: Disabling script execution on the server can also help to prevent cross-site scripting attacks. This can be done by disabling the use of certain scripting languages such as JavaScript or VBScript. But as JavaScript is commonly used, this approach is rarely used by programmers.