Cross-Site Scripting

Back To Listing

What is Cross-Site Scripting?

Cross-site scripting (XSS) is a security vulnerability found in web applications. An XSS attack targets the scripts running behind a webpage which are executed on the client-side (in the user’s web browser). The cross-site scripting attack is made possible by an XSS vulnerability brought about by inherent security weaknesses in client-side scripting languages such as JavaScript and HTML. By injecting a malicious client-side script into an otherwise trusted website, XSS tricks an application into sending malicious code through the browser, which believes the script is coming from the trusted source. It then deceives users by manipulating scripts so that they execute in the manner desired by the attacker.

Because the unsuspecting browser has no way of knowing that a script should not be trusted, it will go ahead and execute the XSS script, which can access cookies, session tokens, and other sensitive information retained by the browser and used with that site. In short, cross-site scripting allows the attacker to “highjack” HTML pages, deceive users, and steal sensitive data as it assumes control, redirects links, and rewrites content on that site.

Contrast Community Edition

Release Secure Software Faster... No Security Expertise Needed!

Meet software delivery deadlines and security mandates. Contrast Community Edition for Java applications, .NET Core (and .Net Framework coming soon), and APIs delivers security-as-code that protects your software against the most common security flaws. With Contrast, you can remediate vulnerabilities early in the SDLC and monitor and defend against attacks on production applications.