🕸️

Understanding Cross-Site Scripting

Jun 16, 2025

Overview

This lecture covers cross-site scripting (XSS) attacks, their mechanisms, real-world examples, types, and ways to prevent them.

What is Cross-Site Scripting (XSS)?

  • XSS is a web vulnerability where attackers inject malicious scripts into trusted websites.
  • The term "XSS" is used to avoid confusion with "CSS" (Cascading Style Sheets).
  • XSS exploits the trust a user has for a particular website after logging in.
  • Most XSS attacks involve JavaScript, as it is widely supported in browsers.

How XSS Attacks Work

  • Attackers send malicious scripts to victims (commonly via email links).
  • Victims click the link, running the script on a trusted website.
  • The script can steal sensitive data, like session cookies, granting attackers access as the victim.
  • Example: Attacker sends a script that, when executed, provides them the victim's session cookie.

Types of XSS Attacks

  • Reflected XSS: The script is delivered immediately via a link or form and executed in the victim’s browser.
  • Stored (Persistent) XSS: The malicious script is saved on a public web page; all visitors to that page run the script.
  • Example: In 2017, a Subaru website had a persistent XSS vulnerability that exposed user tokens.

Preventing XSS Attacks

  • Avoid clicking suspicious links in emails or untrusted websites.
  • Disabling JavaScript is unrealistic due to web reliance on it.
  • Use third-party security tools that detect and block XSS attacks in real time.
  • Keep browsers and applications updated to patch vulnerabilities.
  • Developers must validate all user inputs to block malicious scripts.

Key Terms & Definitions

  • Cross-Site Scripting (XSS) — A method for attackers to inject malicious scripts into websites viewed by other users.
  • Session Cookie — Data stored by the browser used to verify a logged-in user’s identity.
  • Persistent XSS — An attack where the malicious code is permanently stored on the target server.
  • Reflected XSS — An attack where the injected code is reflected off the web server, e.g., via a URL.

Action Items / Next Steps

  • Do not click links from unknown or untrusted sources.
  • Ensure browsers and web applications are regularly updated.
  • Review secure coding practices for input validation if developing web applications.

Full transcript