Cross-site scripting (XSS)

"This server is vulnerable to a cross-site scripting attack. Make sure the client-side (JavaScript) data is secure and validated."


Cross-site scripting is a web attack on vulnerable web applications using JavaScript. Malicious content is delivered to JavaScript-enabled users via an unsafe or untrusted source by composing the data to a dangerous sink inside the Document Object Model (DOM) rather than in HTML which presents a regular XSS.

XSS attacks happen when the input data to a web application is not validated and the output data to the browser is not encoded in HTML.

When XSS attacks are successful, attackers can:

  • Hijack an account.
  • Spread web worms.
  • Access browser history and clipboard contents.
  • Control the browser remotely.
  • Scan and exploit intranet appliances and applications.


To identify and prevent XSS errors in web applications:

  1. Validate the data entered by user browsers in the web application.

  2. Encode all output to user browsers from the web application.

  3. Give users the ability to disable client-side scripts.