What is Cross-site Scriping (XSS)?

Cross-Site Scripting is the injection of malicious scripts into a normally trusted web application. This is possible whenever user input (for example on a website) is not sufficiently validated either on the client- or the server-side. These scripts contain malware that enables the hacker to perform a variety of attacks.

Cross-Site Scripting attacks are very common in web applications and APIs.

Companies That Trust us

How Crashtest Security Enables Cross-Site Scripting Testing

The Crashtest Security Suite is a UX-optimized user interface to operate our powerful in-depth scanner engine. This allows the easy setup, operation, and remediation of vulnerability scanning. During our 14-day free trial, you can experience the rapid project setup (less than 2 minutes), the scan depth and speed, as well as the built-in wiki with advice for fixing cross-site scripting vulnerabilities.

We will scan for:

SQL Injection
Cross-site Scripting (XSS)
Framework and CVE Entries
TLS / SSL Configuration
Cross-site Request Forgery (CSRF)
..All Other OWASP Attack Vectors

Register for free 14 day trial

Different Types Of Cross Site Scripting Attacks

Stored Cross Site Scripting

Script is persistently stored in web app
Users visiting the app after the infection retrieve the script
Malicous code exploits flaws in the web application
The script and the attack is visible on the server side (to the app owner)

Through a stored XSS attack, the hacker can inject the malicious script persistently into a web application.

That script can be submitted via an input field on the web application and infect the web server which stores it in its database. This means that from then on, all other users retrieve this script whilst accessing information and therefore their session cookie might be accessible.

Reflected Cross Site Scripting

Script is not stored in the web application
Malicious code is shown to only one user
Users that open the link execute the script when app is opened
The script and the attack is not necessarily visible on the server side (to the app owner)

A reflected XSS vulnerability shows the malicious input directly to the user of the web application.

This might include that a search form reflects the unvalidated input and shows what the search key was. An attacker could use this to create a URL containing malicious script and spread it. Users opening the link are getting to a web application where the malicious script is run in the user’s web browser.

DOM Based Cross Site Scripting

Script is not stored in the web application
Malicious code is shown to only one user
Malicious code exploits flaws in the browser on the user side
The script and the attack is not necessarily visible on the server side (to the app owner)

A DOM-Based Cross-Site Scripting attack can even be executed if the backend is totally secure. In order to do this, attackers use flaws in the JavaScript which is executed in the web browser.

DOM stands for Document Object Model and is an interface to web pages. It is essentially an API to the page, allowing programs to read and manipulate the page’s content, structure, and styles.