XSS (Cross-Site Scripting)

XSS lets attackers run scripts in a victim's browser by injecting markup that the application echoes back without escaping.

Definition

Cross-Site Scripting (XSS) is a family of vulnerabilities in which a web application accepts untrusted input and renders it in a page such that the input is parsed and executed as code by the victim's browser. The "cross-site" name is historical: the canonical attack injects script that runs in a user's session on the legitimate site, often using a malicious link or a stored payload to deliver it.

XSS has three traditional variants. Reflected XSS bounces the payload off the server in the immediate response — a search query that echoes the term unescaped is the textbook case. Stored XSS persists the payload (in a comment, a profile field, a forum post) so any visitor who renders it executes the attacker's script. DOM-based XSS never touches the server: client-side JavaScript reads a value from `location.hash` or `document.referrer` and writes it into the DOM via `innerHTML` without sanitisation.

How it works

The browser does not distinguish between markup the application intended to emit and markup that originated from user input — both go through the same HTML parser. If the application interpolates an attacker-controlled string into the HTML stream without contextual escaping, any `<script>`, `<img onerror>`, `<svg onload>`, or `javascript:` URL in that string runs with the victim's authority on the origin.

Modern attacks rarely rely on a bare `<script>` tag. Event-handler attributes (`onfocus`, `onmouseover`), data-URLs, and template-engine sandbox escapes are all common variants. Single-page applications add a fourth axis: client-side template engines (Angular, Vue, React with raw-HTML escape hatches) introduce their own escape contexts.

Impact

Session hijacking, credential theft, account takeover, defacement, malware delivery, and — when combined with CSRF or token leakage — full administrative compromise. Stored XSS in a high-traffic context (a popular forum, a SaaS dashboard) is functionally a worm vector.

Mitigation

Apply context-aware output encoding everywhere user input crosses into HTML, attribute, JavaScript, CSS, or URL contexts. Use template engines that escape by default (Django, Jinja, Go html/template, React JSX) and treat any "raw HTML" escape hatch as a code-review smell. Layer Content-Security-Policy with a strict `script-src` directive and `object-src 'none'` so even a successful injection has nowhere to load code from. The OWASP XSS Prevention Cheat Sheet is the canonical reference.

Examples

  • CVE-2018-9206 — Stored XSS in jQuery-File-Upload affecting downstream packages.
  • CVE-2020-11022 — DOM XSS in jQuery's html() with untrusted input.

See also

References