Skip to content

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Description

Cross-site-scripting (XSS) vulnerabilities occur when unsanitized user-controlled input is served to the user.

XSS vulnerabilities bypass same-Origin-Policy, which is a core principle of web security. SOP ensures that a page from http://evil.com can't access the content of a page from http://bank.com.

XSS is commonly separated into three families

  • Reflected: the user-controlled input is directly reflected in the page response
  • Stored: the user-controlled input is stored on the server side, for instance, in a database, and is later returned to user
  • DOM-based: the user-controlled input is injected on the client-side to the DOM, triggering the injection of malicious JavaScript

XSS vulnerabilities allow an attacker to perform a variety of malicious actions, like exfiltration of personal data, including user session or account information; perform actions on behalf of the user.

Recommendation

In general, cases, preventing XSS vulnerabilities requires 2-step protection:

  • Input validation: user-controlled input should be validated to forbid all unauthorized characters, phone number For instance, only numbers; names should only contain alphabetical characters, etc.
  • Output encoding: all input shown to the user is encoded correctly using proven standard API. Use of a safe template engines with native support for output encoding and secure defaults are highly recommended.

Standards