One of the most common website attacks that most businesses have never heard of.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
Cross-site scripting (also known as XSS) allows bad guys to embed malicious code into a legitimate (but vulnerable) website to ultimately gather user data like credit cards or passwords.



Want to see more vids like this? Subscribe on YouTube for more security tips.


How does cross-site scripting work? Here’s an example of one type of XSS.

  • The hacker finds a legitimate webpage with an input field. Input fields could range from a first name field to a credit card field.
  • The hacker checks if the webpage is vulnerable to cross-site scripting. For this type of attack to work, the web application must use the data the user enters and echo it back to the user. For example, if you sign in with your username (say, example123) and the webpage says something like, “Welcome example123!”, that webpage is echoing your data back to you. Once the user input is echoed back, if the browser is able to interpret it as executable language, then the attacker can confirm the page is vulnerable.
  • The hacker embeds malicious script. Based on the intent of the attack, hackers can capture the keystrokes of the user, steal usernames or passwords entered into the fields, or even copy the entire webpage and redirect users to a fake webpage.
  • The hacker distributes the payload, then sits back and waits. When a user visits the web page (usually through a bad URL), the JavaScript executes on his or her browser (stealing targeted sensitive data). Users usually have no idea this is happening.
SEE ALSO: The Case of the Evil JavaScript


Is my website vulnerable to cross-site scripting?

Possibly. I estimate that 1/3 of all websites are susceptible to XSS.
XSS is a huge flaw in many websites if left untested and not properly avoided.

How to stop cross-site scripting on your website

  • Run external vulnerability scans. Vulnerability scans help locate coding errors where XSS vulnerabilities may occur.
  • Talk to your web developer and make sure your site is properly coded with security in mind.
Ask your business security question in the comments!


Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.