top of page


  • Chris Bratton - Tech Journalist

For protecting the IT sector and websites from hacking, XXL web security measurements are crucial

Cross-site scripting XSS is one of the deadliest attacks that can happen to your website. Whether you run a small business or have an online presence for a larger company, there is a chance of being compromised. Authorities that run websites, online businesses and need a flawless medium to reach more customers should be aware of XSS attacks. After targeting a website, an attacker injects malicious scripts into the web-server. As a result, the users fall victim, even the website gets compromised.

Types of XSS attack

There are three types of XSS attacks you should be aware of. Wheatear you’re the business owner or the IT staff, it is in our best interest to learn ways XSS attacks. To keep ourselves prepared for the potential threat. Major XSS threat types are the following:

Stored XSS

Stored XSS is the primary type of an XSS attack. When an attacker finds a vulnerability in a web application and injects malicious scripts or payload to the server, we call it a Stored XSS attack. The code can be on the comment section of the website or the fields that can take inputs. An attacker puts the script or malicious site link underneath the comment and every time a visitor loads the web application, the code gets executed. It may look very simple but is quite dangerous. A user trusts the website to have all the basic and advanced facilities that won’t accommodate threats. But the attack type is so common yet powerful that many people fall victim to it. This is not typically a server-sided attack as the attacker doesn’t temper with the server.

Reflected XSS

Reflected XSS attack works by reflecting XSS request. In this one, the attacker sends the victim modified link to any website or service. When the victim spectates the link as trusted and clicks on it, requests are being reflected from the server to the victim. And eventually, the packets of data is being transferred to the attacker. This attack can phish users of their sensitive information like credentials, site cookies, and so on. It is quite an advanced protocol of XSS attack. We don’t see that very often.


Did you know, every JavaScript code is being executed in your browser that comes with the website? It’s the same reason why browsers are hard to build. Because they can execute complex scripts. In a DOM-based XSS attack, the attacker modifies the returning payload by injecting a malicious script. Our browsers became very intelligent over time, thanks to the development teams working behind the scene continuously. But none the less, client-side JavaScript, modified by an attacker can cause harm to not only the user but the data centre hosting the platform.

Why do experts care for XSS attacks?

As an online-based business or the online front end, it should be in our best interest to care for the attack and learn more about them. If someone searches with a specific keyword on the site and the site script get modified to show or change value with the keyword, chances are it's not secure, and it will be compromised today or tomorrow. Some tools crawl through the internet and find vulnerable websites. A well-coordinated XSS attack can impersonate a user, and carry out tasks on the user's behalf. Even the data that is only permitted for a specific user, can be read by the attacker. Web application functionalities can break and may need serious restoration as there is a risk of injecting trojan and capture data.

Protection against XSS attack

We’ve discussed briefly and now have a general idea of what an XSS attack is or how it functions. It’s a topic that’s very important to leave behind and at the same time, prevention methods should be practiced ideally. According to OWASP, XSS attacks are not very common nowadays, as most of our database and panels are already updated to prevent primary attacks. But there is always a loophole on web applications and it's just a matter of time an attacker finds it. Major companies like Google, Facebook, and many more offer big dollars to people, who regularly look for vulnerabilities in their system. It is recommended to always browse the secure sites protected by HTTPS://.

Monitoring special characters in the HTML context requires JavaScript values to escape. Which will lead to character complexity. And escaping these characters is necessary. Auto-sanitisation library, anti-Sammy are a few basic filters to be added on the backend of the program. According to the OWASP content security policy, building a good XSS filter doesn’t only protect against XSS but at the same time prevents other types of attacks.


bottom of page