Cross-Site Scripting, Explained

One of the most common website attacks that most businesses have never heard of.

Cross-site scripting (also known as XSS) allows bad guys to embed malicious code into a legitimate (but vulnerable) website to ultimately gather user data like credit cards or passwords.

How does cross-site scripting work? Here’s an example of one type of XSS.

• The hacker finds a legitimate webpage with an input field. Input fields could range from a first name field to a credit card field.
• The hacker checks if the webpage is vulnerable to cross-site scripting. For this type of attack to work, the web application must use the data the user enters and echo it back to the user. For example, if you sign in with your username (say, example123) and the webpage says something like, “Welcome example123!”, that webpage is echoing your data back to you. Once the user input is echoed back, if the browser is able to interpret it as executable language, then the attacker can confirm the page is vulnerable.
• The hacker embeds malicious script. Based on the intent of the attack, hackers can capture the keystrokes of the user, steal usernames or passwords entered into the fields, or even copy the entire webpage and redirect users to a fake webpage.
• The hacker distributes the payload, then sits back and waits. When a user visits the web page (usually through a bad URL), the JavaScript executes on his or her browser (stealing targeted sensitive data). Users usually have no idea this is happening.
  

See also: The Case of the Evil JavaScript‍

Is my website vulnerable to cross-site scripting?

Possibly. I estimate that 1/3 of all websites are susceptible to XSS.

See also: SecurityMetrics PCI Guide

How to stop cross-site scripting on your website

• Run external vulnerability scans. Vulnerability scans help locate coding errors where XSS vulnerabilities may occur.
• Talk to your web developer and make sure your site is properly coded with security in mind.