NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
June 11, 2020

Web app vulnerability basics: Cross-site scripting

Justin Fimlaid Justin Fimlaid

This is the third installment in a series on Web Application Vulnerability Basics.

What Is Cross-Site Scripting?

Cross-Site Scripting, also known as XSS, is a web exploit that allows an attacker to inject malicious content (e.g., markup, or scripts) into a web application. Many cross-site scripting attacks utilize JavaScript, a client-side scripting language used by many websites and web applications. In an attack scenario, scripts are executed on a victim’s browser, possibly without the their knowledge, when a vulnerable webpage is visited. Attackers use XSS for session hijacking, stealing credentials, redirecting victims, and modifying how a page is rendered, and much more. XSS is widely prevalent and ranks as the second most common web application attack according to the OWASP Top 10 list for 2017.

How Does XSS Work?

For a cross-site scripting attack against a web application to be successful, two conditions must be met. One, the web application needs to accept some form of user input. This is usually data being passed in a web request, which the web app does not validate correctly. Two, this data is included, without proper sanitization, on the response back to the user’s browser where the attack is then triggered.

There are two types of cross-site scripting attacks: Reflected XSS and Stored XSS.

Reflected XSS

In a reflected XSS attack, an attacker’s payload (traditionally JavaScript) is injected into a legitimate web request, usually by tricking a victim into visiting a malicious URL or via a phishing attack. The payload is then included by the web server into the response to the victim, which gets executed by the user or browser.

A reflected XSS attack has no persistence and requires an attacker to trick the victim into submitting a malicious request themselves. Because of this, a reflected attack is less severe than a stored XSS attack due to the limited scope. However, a reflected XSS vulnerability is usually easier to find than a stored XSS vulnerability.

Stored XSS

In a stored XSS attack, an attacker will inject a payload (again, traditionally JavaScript) into a field that is stored by the web application and potentially displayed to one or more users. This can include profile names, photos, comments, and any other element within the application that displays user-provided input to other users. XSS can also be injected into HTML elements and triggered by a JavaScript event handler, such as the “onerror” attribute of an HTML image object. Any user who visits the page containing the malicious payload may then cause it to trigger. For example, if a profile photo element contains a malicious payload, this may fire every time a user of the web application visits the malicious profile.

The scope of a stored XSS attack isvast. Anyone visiting a page with an injected XSS payload could have their accounts compromised, data stolen, session hijacked, and more. Stored XSS attacks can lead to a full compromise of the web application if an administrator’s credentials are stolen. This attack could also be paired with cross-site request forgery to perform actions on behalf of victim without their knowledge.

XSS Mitigation Techniques

There are a few mitigation techniques that can be utilized to prevent XSS attacks. These techniques are simple but effective, and mainly focus on sanitizing and validating user input.

  • Restrict and validate user input wherever possible.
  • Utilize proper character escapes when inserting untrusted data (which all user supplied data should be treated as) into HTML elements, HTML attributes, JavaScript data values, CSS style blocks, and URL parameters.
  • If markup is handled by web application (uses similar characters to HTML), use a HTML sanitization library.
  • Utilize HttpOnly cookies to prevent JavaScript from reading or modifying site cookies and session hijacking via XSS.
  • Implement a strict content security policy to limit scope of a successful XSS attack.

Conclusion

Protecting against XSS attacks is crucial to maintaining a secure web application. Keep XSS attacks in mind while developing and maintaining web applications and verify that XSS mitigation strategies are working as intended.​

Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

3 min read
Web app vulnerability basics: Cross-site request forgery Read More
Compliance 3 min read
Securing Healthcare from Ransomware Attacks Read More
Industry Insights 12 min read
The First 101 Days as a New Chief Information Security Officer: A CISO Roadmap Playbook
Read More

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
Consult with an expert
  • Client support
  • Careers
  • Contact