Skip to Main Content

What is cross-site scripting?

If you fail to get your car’s brake pads replaced because you didn’t notice they were worn, you could end up doing far more damage to your car in no time at all. It’s pretty much the same if you fall victim to what’s known as a cross-site scripting attack.

Read on to learn what cross-site scripting — XSS for short — is, how it works, and what you can do to protect yourself.

Cross-site scripting (XSS): What it means

Put simply, hackers use cross-site scripting (XSS) to make online forms, web pages, or even servers do things they’re not supposed to do.

In most cases, hackers use what are known as scripting languages (JavaScript in particular) since these are widely used by programmers — which is why the term “scripting” is used in designating this type of cyberattack. “Cross” (or the “X” in XSS) means that these malicious scripts work across sites.

XSS is one of the most common attack methods on the internet, allowing cybercriminals to inject malicious code into otherwise seemingly benign and trusted servers or web pages. They can use cross-site scripting to manipulate web pages, hijack browsers, rob confidential data, and steal entire user accounts in what is known as online identity theft.

Unfortunately, the security holes in internet pages or on servers that allow cross-site scripting cyberattacks to succeed — where the received user data is inadequately verified and subsequently processed or even passed on — are common.

As such, even a small security hole in a web page or on a server can cause malicious scripts to be sent to a web server or to a browser, which then executes them — with fatal results.

How does cross-site scripting work?

Generally speaking, most web pages allow you to add content, such as comments, posts, or even log-in information. This means that cross-site scripting is always possible in theory if, for instance, there are gaping security holes in the verification of instructions (scripts) for forwarding the content you entered to a server.

Thanks to these holes, which are also known as XSS holes, cybercriminals can transfer their malicious scripts to what is known as the client — meaning to the web server as well as to your browser or device. Online fraudsters benefit from the fact that most web pages are now generated dynamically — and that almost any scripting language that can be interpreted by a browser can be accepted and used to manipulate the transfer parameters.

For example, it’s easy for hackers to modify server-side scripts that define how data from log-in forms is to be processed. Among other dirty deeds, they can then arrange for usage data to be transferred to a fraudulent server.

That said, XSS attacks do not necessarily aim to directly harm the affected client (meaning your device or a server) or steal personal data. Rather, the attackers’ fraudulent scripts are used to exploit the affected client as the “sender” of malware and phishing attacks — with potentially devastating results. In such cases, the perpetrators of the cyberattacks of course remain anonymous and hidden in the background.

There are three types of cross-site scripting attack, which we’ll delve into in more detail now:

  • Reflected cross-site scripting
  • Stored or persistent cross-site scripting
  • DOM-based or local cross-site scripting

Reflected cross-site scripting

With reflected attacks, hackers manage to smuggle their malicious scripts onto a server.

If you click on a seemingly trustworthy web page that hackers have put together, a request is sent to the server on which the web page hidden behind the link is located.

If the security settings for verifying the transfer parameters on the server are inadequate or holes are present then even though a dynamically generated web page will be displayed correctly, it’ll be one that a hacker has manipulated or supplemented with malicious scripts. That’s because all instances that interact to display this web page have accepted the hacker’s scripts. And if you now enter your personal log-in details, this information is then — unsurprisingly — in many cases forwarded right to the hacker’s server.

Reflected cross-site scripting is very common in phishing attacks. Since you believe the web pages modified by server-based XSS to be genuine, you have no reason to suspect anything’s up, so you end up simply serving up your log-in details to the cyberattackers on a plate without even being aware of it.

Stored or persistent cross-site scripting

With persistent attacks, a security hole on a server is also the starting point for a possible XSS attack.

However, in the case of persistent cross-site scripting, the changes a hacker makes to website scripts are stored permanently — or persistently — in the database of the web server in question.

In this case, you don’t even need to click on a manipulated link. That’s because due to the changes in the web server’s database, the fake web pages are displayed automatically to us when we visit the regular website.

Very often, hackers use poorly protected forums as gateways to submit their manipulated code to the web server hosting those forums. In this case, a simple forum post with a malicious script is enough for them to change the web server’s database and subsequently be able to access masses of user access data.

Stored XSS attacks are more complicated than reflected ones. They’re actually only worthwhile for cybercriminals on websites that are very popular, meaning they have enough visitors. And of course, these websites must have security holes that allow hackers to inject their manipulated scripts.

But once they’re successful, the number of possible victims increases many times over, because anyone who accesses this website infected using persistent cross-site scripting will have the fraudulent scripts sent to their browser. That’s why it’s almost impossible to detect persistent or stored XSS attacks until it’s too late.

DOM-based or local cross-site scripting

With local or DOM-based XSS attacks, cybercriminals do not exploit a security hole on a web server. Instead, they send you their malicious script via a specially crafted email. This script is then executed in your browser without you even noticing. They use social engineering methods such as phishing or spoofing to trick you into visiting their spoof website.

All you have to do is click a supposedly trustworthy link sent by email, and your browser will have already integrated the malicious script (referred to as client-side JavaScript). Your browser accepts this infected script because it’s mistakenly considered part of the source code of this supposedly trustworthy web page and executes it — showing you the web page you have accessed, albeit a manipulated version of it.

If your browser also has special rights on your laptop or PC, hackers can then even spy on and manipulate data stored locally on your device.

Since these codes are not visible and most of us are unfamiliar with programming languages like JavaScript anyway, it’s practically impossible for us to detect a local XSS attack.

How can you protect yourself from cross-site scripting?

Many cross-site scripting attacks are aimed at the servers hosting corporate, banking, or government websites. There, however, IT managers are responsible for continuously checking the security mechanisms and adapting protective measures.

But you as a private individual also have a number of options that you can use to protect yourself from the fallout of an XSS attack.

Avoiding XSS attacks involves careful handling of links and emails

As you’re probably aware, it’s people who are the biggest vulnerability when it comes to using digital devices. After all, just how quick are you to click the link in an email message that looks like it’s been sent by someone you know without so much as a second thought? We’re also warned regularly about phishing attacks — particularly from banks whose online facilities we use.

Even if your bank hasn’t sent you any specific information about a phishing attack, you can spot fraudulent emails based on a few tell-tale signs:

  • The displayed sender address is not necessarily the actual one. By looking at the sender details in the email header, you can easily see if the person who sent it truly is who they purport to be. If instead you see a rather cryptic-looking email address, your best course of action is to move this email to your email program’s spam folder right away.
  • If there’s no personalized salutation in the email message, in other words you’re not addressed by your name, this can be a tell-tale sign that you’re dealing with a fraudulent message.
  • Poor grammar, spelling, and punctuation are all signs that hackers want to steer you to a fraudulent web page.
  • Even a slightly different looking version of a website that you use frequently can be a sign that it’s been manipulated.

Block JavaScript to minimize cross-site scripting damage

You can improve your protection against local XSS attacks by switching off your browser’s Java support. That’s because JavaScript attacks are often ineffective if active scripting is turned off.

However, disabling JavaScript only helps protect you against actual XSS attacks, not against HTML or SQL injection attacks. Take a look at our blogpost to learn more about what’s behind this form of cyberattack.

Avoid local XSS attacks with Avira Browser Safety

If you install a browser web protection add-on like Avira Browser Safety, this extension can help you detect and avoid browser hijacking, unwanted apps in your downloads, and phishing pages — protecting you from the results of a local XSS attack.

The useful Browser Safety extension works in the background on Windows and Mac devices and is fully customizable. Avira Browser Safety is available for Firefox, Chrome, Opera, and Edge (in each case included with Avira Safe Shopping).

Avira Browser Safety
Protect yourself from local XSS attacks with Avira Browser Safety.

A proven antivirus program can help you avoid cross-site scripting attacks

We cannot stress it enough: Any device you use apps on and to go online with should have a proven antivirus solution installed on it. Avira Free Antivirus comes from one of Germany’s leading providers of online security (Claim ID AVR004) and can help you improve your device’s real-time protection.

Avira Free Antivirus is an automated, smart, and self-learning system that strengthens your protection against new and ever-evolving cyberthreats. With built-in PUA protection, Avira Free Antivirus can also help detect potentially unwanted applications hiding inside legitimate software.

Avira Free Antivirus
Indirectly strengthen your protection against the fallout of an XSS attack with Avira Free Antivirus.

This post is also available in: GermanFrenchItalian

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.