惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

Vulnerabilities – ThreatDown by Malwarebytes

June 2025 Microsoft Patch Tuesday fixes two zero-days April 2025 Patch Tuesday includes one zero-day March 2025 Patch Tuesday, severity over quantity Why ransomware gangs want you to keep using that GPON router - ThreatDown by Malwarebytes Hybrid cloud environments are not safe from ransomware Windows MSHTML vulnerability actively exploited - ThreatDown by Malwarebytes Update now! Critical CVSS 10 vulnerability in Ivanti EPM - ThreatDown by Malwarebytes Update now! Four zero-days fixed in September Patch Tuesday - ThreatDown by Malwarebytes Ransomware gangs target SonicWall vulnerability
What is Cross-Site Scripting (XSS)? - ThreatDown by Malwarebytes
Sheila H · 2024-12-05 · via Vulnerabilities – ThreatDown by Malwarebytes

Cross-site scripting is a type of attack where a vulnerability in web applications is exploited and malicious script is injected into the site content.

Cross-site scripting, or XSS, is a type of injection attack where a vulnerability in web applications is exploited that allows a threat actor to inject malicious script into the site’s content. When other users visit the page, their browsers execute the script because it is stored on the server and served as part of the site’s content. 

What is cross-site scripting?

When an attacker exploits a trusted site’s vulnerability and adds malicious code or script to that site, it is known as cross-site scripting, or XSS. Once a user engages with the script, the code executes and allows the attacker to take advantage of the user within the context of the original, trusted site.

Believe it or not, cross-site scripting has been around since 1999. But while it has roots in the last century, XSS is an old problem that persists today. In fact, according to OWASP (Open Worldwide Application Security Project), injection attacks like XSS and SQL injection rank #3 on their list of top 10 web application vulnerabilities. Talk about staying power.

What is an example of cross-site scripting?

One example of cross-site scripting is when an attacker places harmful script in the comments section of a web page, such as a forum or blog post. If the site does not have guardrails in place to prevent this type of malicious activity, then the script can put other users at risk of being attacked should they interact with the content.

What are the major types of cross-site scripting attacks?

The three most common types of XSS attacks are persistent, reflected, and DOM-based:

  • Persistent XSS: Persistent, or stored, XSS is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server. This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.
  • Reflected XSS: Reflected, or non-persistent, XSS is a type of vulnerability which occurs when the untrusted or unverified user input is reflected off of a web application to the browser of the victim. An attacker has to trick the user into sending data to the target site, which is often done by sending the user a specially crafted malicious link. 
  • DOM-based XSS: Unlike persistent and reflected XSS, DOM-based XSS attacks make the victim’s browser itself the vulnerability. The malicious script is not stored nor is it delivered to the server. Instead, it exploits the client-side JavaScript to make use of the lack of proper sanitization. 

Consequences of cross-site scripting attacks

The consequences of an XSS attack depend on the type of attack and the intent of the attacker. Some possible outcomes include:

  • Manipulation of user experience: If a harmful script is running on a victim’s browser under the context of a trusted website, then the victim could see a different version of the website where the attacker can manipulate what is being experienced on the screen. This could allow the victim’s cookies to be transferred to the attacker, who may be able to then access sensitive information.
  • Malware: The attacker can choose to inject malware as part of the XSS attack, which could then escape the browser and run natively on the victim’s system.
  • Phishing: If a victim clicks on a harmful link as part of a phishing campaign, it could redirect the user to another site where malicious code can be executed. Phishing is the number one delivery vehicle for ransomware, a type of software specifically designed to hold a victim’s data hostage.
  • Browser control and data access: XSS can allow attackers to control the victim’s browser, access browser history, clipboard contents, and even scan and exploit intranet applications.

How to prevent XSS attacks

Developers can help prevent XSS attacks by validating user inputs. This includes inspecting and either rejecting or approving all user-generated content on their websites. They should also encode the output, so that symbols are converted into their plain-text counterparts. This avoids the possibility of harmful scripts making it onto the website and affecting its users. However, even with these best practices in place, vulnerabilities like injection attacks are still possible.

That’s why IT teams are engaging Managed Detection and Response (MDR) Services to prevent, detect, and respond to attacks like cross-site scripting. MDR protects endpoints from vulnerabilities 24/7, so IT teams never miss a threat. And MDR teams can monitor for suspicious traffic and analyze logs to flag possible signs of XSS attempts.