惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
GbyAI
GbyAI
Y
Y Combinator Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
J
Java Code Geeks
WordPress大学
WordPress大学
Microsoft Security Blog
Microsoft Security Blog
IT之家
IT之家
F
Fortinet All Blogs
博客园 - 【当耐特】
H
Hackread – Cybersecurity News, Data Breaches, AI and More
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Spread Privacy
Spread Privacy
O
OpenAI News
V
V2EX
博客园 - 三生石上(FineUI控件)
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
Microsoft Azure Blog
Microsoft Azure Blog
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
H
Help Net Security
L
LINUX DO - 最新话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Tenable Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cisco Talos Blog
Cisco Talos Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
酷 壳 – CoolShell
酷 壳 – CoolShell
Hacker News: Ask HN
Hacker News: Ask HN
S
Security @ Cisco Blogs
S
Securelist
T
The Blog of Author Tim Ferriss
Apple Machine Learning Research
Apple Machine Learning Research
美团技术团队
雷峰网
雷峰网
V2EX - 技术
V2EX - 技术

Vulnerabilities – ThreatDown by Malwarebytes

June 2025 Microsoft Patch Tuesday fixes two zero-days April 2025 Patch Tuesday includes one zero-day March 2025 Patch Tuesday, severity over quantity Why ransomware gangs want you to keep using that GPON router - ThreatDown by Malwarebytes Hybrid cloud environments are not safe from ransomware Windows MSHTML vulnerability actively exploited - ThreatDown by Malwarebytes Update now! Critical CVSS 10 vulnerability in Ivanti EPM - ThreatDown by Malwarebytes Update now! Four zero-days fixed in September Patch Tuesday - ThreatDown by Malwarebytes Ransomware gangs target SonicWall vulnerability
What is Cross-Site Scripting (XSS)? - ThreatDown by Malwarebytes
Sheila H · 2024-12-05 · via Vulnerabilities – ThreatDown by Malwarebytes

Cross-site scripting is a type of attack where a vulnerability in web applications is exploited and malicious script is injected into the site content.

Cross-site scripting, or XSS, is a type of injection attack where a vulnerability in web applications is exploited that allows a threat actor to inject malicious script into the site’s content. When other users visit the page, their browsers execute the script because it is stored on the server and served as part of the site’s content. 

What is cross-site scripting?

When an attacker exploits a trusted site’s vulnerability and adds malicious code or script to that site, it is known as cross-site scripting, or XSS. Once a user engages with the script, the code executes and allows the attacker to take advantage of the user within the context of the original, trusted site.

Believe it or not, cross-site scripting has been around since 1999. But while it has roots in the last century, XSS is an old problem that persists today. In fact, according to OWASP (Open Worldwide Application Security Project), injection attacks like XSS and SQL injection rank #3 on their list of top 10 web application vulnerabilities. Talk about staying power.

What is an example of cross-site scripting?

One example of cross-site scripting is when an attacker places harmful script in the comments section of a web page, such as a forum or blog post. If the site does not have guardrails in place to prevent this type of malicious activity, then the script can put other users at risk of being attacked should they interact with the content.

What are the major types of cross-site scripting attacks?

The three most common types of XSS attacks are persistent, reflected, and DOM-based:

  • Persistent XSS: Persistent, or stored, XSS is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server. This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.
  • Reflected XSS: Reflected, or non-persistent, XSS is a type of vulnerability which occurs when the untrusted or unverified user input is reflected off of a web application to the browser of the victim. An attacker has to trick the user into sending data to the target site, which is often done by sending the user a specially crafted malicious link. 
  • DOM-based XSS: Unlike persistent and reflected XSS, DOM-based XSS attacks make the victim’s browser itself the vulnerability. The malicious script is not stored nor is it delivered to the server. Instead, it exploits the client-side JavaScript to make use of the lack of proper sanitization. 

Consequences of cross-site scripting attacks

The consequences of an XSS attack depend on the type of attack and the intent of the attacker. Some possible outcomes include:

  • Manipulation of user experience: If a harmful script is running on a victim’s browser under the context of a trusted website, then the victim could see a different version of the website where the attacker can manipulate what is being experienced on the screen. This could allow the victim’s cookies to be transferred to the attacker, who may be able to then access sensitive information.
  • Malware: The attacker can choose to inject malware as part of the XSS attack, which could then escape the browser and run natively on the victim’s system.
  • Phishing: If a victim clicks on a harmful link as part of a phishing campaign, it could redirect the user to another site where malicious code can be executed. Phishing is the number one delivery vehicle for ransomware, a type of software specifically designed to hold a victim’s data hostage.
  • Browser control and data access: XSS can allow attackers to control the victim’s browser, access browser history, clipboard contents, and even scan and exploit intranet applications.

How to prevent XSS attacks

Developers can help prevent XSS attacks by validating user inputs. This includes inspecting and either rejecting or approving all user-generated content on their websites. They should also encode the output, so that symbols are converted into their plain-text counterparts. This avoids the possibility of harmful scripts making it onto the website and affecting its users. However, even with these best practices in place, vulnerabilities like injection attacks are still possible.

That’s why IT teams are engaging Managed Detection and Response (MDR) Services to prevent, detect, and respond to attacks like cross-site scripting. MDR protects endpoints from vulnerabilities 24/7, so IT teams never miss a threat. And MDR teams can monitor for suspicious traffic and analyze logs to flag possible signs of XSS attempts.