Skip to main content

What is cross-site scripting (XSS)?

1st October 2025

How could you be infected with malicious code and not even know it?

Cross-site scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Usually written in JavaScript, these scripts execute in the victim’s browser, frequently without being detected.

XSS is a client-side vulnerability, meaning that the attack occurs in the user’s browser, not server-side. Often though, the cause is due to insecure server-side code that fails to properly handle user input.

These attacks occur when web applications accept user input – comments, search queries, profile names, etc – to display it back to users. If this input is not encoded or sanitised correctly attackers can inject JavaScript code that gets executed when others view the page.

Say a blog allows users to post comments: if a comment was stored and displayed without being filtered, an attacker could submit malicious script. When another user views the comment, their browser executes the script, sending their session cookie to the attacker, which can allow the account to be hijacked.

Types of XSS attack include:

·         Stored XSS (persistent) – malicious script is saved on the server and triggered whenever a user views the infected content. It is common in forums, on social media and in user profiles.

·         Reflected XSS (non-persistent) – the script is embedded in a URL or form input and reflected in the server’s response. These are often used in phishing attacks in crafted links.

·         DOM-based XSS – in this version, the vulnerability exists in the client-side JavaScript. The script is injected and executed in the browser, often via DOM manipulation.

These attacks are so common because many web applications rely on dynamic content and user input. Developers may overlook input or output sanitisation, legacy systems and custom-built CMS platforms often lack modern protections and JavaScript’s flexibility makes it easy to exploit, if not properly controlled.

An XSS based attack can lead to:

·         Session hijacking – stealing cookies or tokens to impersonate users

·         Credential theft – capturing login details via fake forms

·         Website defacement – altering page content to mislead or embarrass

·         Malware distribution – redirecting users to malicious downloads

·         Phishing – creating deceptive interfaces to trick users into revealing sensitive data

Is your security able to withstand a cross-site scripting attack? If not, or if you have any more questions about how it works, please contact Interfuture Security.

YouTube: https://youtu.be/hzoPEBIGssQ

Back to top