Cross-Site Scripting (XSS) — Injecting Malicious Code into Trusted Web Applications
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This SECMONS glossary entry explains how XSS works, its types, real-world impact, and how defenders can prevent it.
What Is Cross-Site Scripting (XSS)? 🧠
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into content delivered by a trusted website.
It is formally classified as CWE-79 — Improper Neutralization of Input During Web Page Generation under the /glossary/cwe/ taxonomy.
When disclosed publicly, XSS vulnerabilities are assigned a /glossary/cve/ identifier and evaluated using /glossary/cvss/.
Unlike server-side exploits such as /glossary/sql-injection/, XSS executes in the victim’s browser.
How XSS Works 🔎
An XSS vulnerability typically occurs when:
- A web application accepts user input.
- That input is embedded into a webpage without proper sanitization.
- A malicious script is executed in another user’s browser.
The browser trusts the content because it appears to originate from a legitimate site.
This allows attackers to:
- Steal session cookies
- Capture keystrokes
- Redirect users
- Modify page content
- Perform actions on behalf of victims
Types of XSS 🔬
| Type | Description |
|---|---|
| Stored XSS | Malicious script saved on server and served to users |
| Reflected XSS | Malicious script reflected in immediate response |
| DOM-based XSS | Vulnerability in client-side JavaScript logic |
Stored XSS is often more severe because it affects multiple users automatically.
Why XSS Is Dangerous 🎯
XSS may not directly enable /glossary/remote-code-execution/ on the server, but it can:
- Hijack authenticated sessions
- Steal sensitive data
- Deliver phishing forms
- Inject malicious scripts into trusted domains
- Facilitate account takeover
In some cases, XSS is leveraged as a step in broader attack chains involving:
XSS vs Other Injection Vulnerabilities 🔄
| Vulnerability | Execution Context |
|---|---|
| SQL Injection | Database server |
| Command Injection | Operating system |
| XSS | User browser |
| LDAP Injection | Directory services |
While XSS does not directly compromise backend systems, its impact on users can be significant.
Defensive Considerations 🛡️
Preventing XSS requires:
- Proper input validation and sanitization
- Context-aware output encoding
- Content Security Policy (CSP) enforcement
- HTTP-only cookies
- Secure development practices
- Regular application security testing
If an XSS vulnerability is confirmed as /glossary/exploited-in-the-wild/ or appears in the /glossary/known-exploited-vulnerabilities-kev/ catalog, remediation priority increases.
Operational mitigation strategies are often documented under:
Why SECMONS Includes XSS Clearly 📌
Cross-Site Scripting remains one of the most common web application vulnerabilities.
Understanding its mechanics helps defenders evaluate risk beyond server-side compromise and recognize its role in credential theft and session hijacking.
Authoritative References 📎
- MITRE CWE-79 Entry: https://cwe.mitre.org/data/definitions/79.html
- OWASP XSS Prevention Cheat Sheet: https://owasp.org/