Your IP: Unknown · Your Status: Unprotected Protected


Blog In Depth

What is cross-site scripting?

Mar 18, 2020 · 3 min read

What is cross-site scripting?

Cross-Site Scripting (XSS) is an insidious form of malware injection that can turn seemingly trustworthy sites against you. A hacker will inject malicious script into an otherwise-friendly and safe website and any unfortunate victim that triggers it may be vulnerable.

What happens next is the theft of your information. This malicious script will often infect login fields so it can steal your login details and cookies. The software will record your details and transmit them to a hacker – who will then use that information to gain control of your account.

Why is it called cross-site scripting?

A cross-site scripting attack is the act of injecting malicious coding from an ‘aggressor’ site into a friendly, unassuming site. That's how the term cross-site scripting came about.

The original term used to refer exclusively to JavaScript. However, decades after the original name was coined, the XSS term now encompasses non-JS vectors like ActiveX, Flash, HTML, and others.

Types of cross-site scripting attacks

Reflected XSS

Reflected XSS. The most common type of XSS attack. Reflected XSS happens when a user sends a request to a website’s server. A hacker’s injected, malicious script will reflect off said server and could appear as an error message, or even search results, on the victim’s screen.

The unfortunate, soon-to-be recipient of the malware will then click on a prompted button or link, thus executing the infectious code. This happens because the victim’s browser has just been fooled into thinking that the above code came from a trusted server. All information entered into the compromised site will be sent to the hacker.

Persistent XSS

Persistent XSS. Also known as Stored XSS. It’s what happens when an application or website has malicious code software that has infected all of its HTTP responses.

For example, the malware could be stored within a website’s comment field, where it will be triggered when clicked. The danger in persistent XSS is that the criminal has already laid down the trap and doesn’t need to entice a potential victim into following a link. All the hacker has to do is set the bait and wait.

DOM-based XSS. A Document Object Model (DOM), which is created as soon as someone opens up a webpage, is what allows a user to access all the content on a page without having to interact with the server. That’s why DOM XSS focuses on the victim’s browser.

In Reflective and Persistent XSS, the signs of danger are evident in the response page HTML. The threat in DOM XSS lies in how it is impossible to see the vulnerability without delving into the site’s code. The majority of victims who aren’t tech-guru’s will fall victim to this. How often do you double check the coding to a website before you click on anything?

How do I protect myself from a XSS attack?

Unfortunately, XSS attacks are hard to defend yourself from – the malware targets the websites you visit rather than your personal device.

With all kinds of malware, the best way to prevent falling victim to them is knowledge. Educating yourself to recognize the signs before you accidentally activate any malicious code is a priority for anyone looking to secure their online activity. Here are some good tips for how to stay on top of that.

  • Make it a habit to keep an eye on your URL – if something seems out of the ordinary, then be wary of any future actions you may or may not undergo on that website.
  • For those who are more technically-inclined, you can always delve into the code of every webpage you open up to check for any script that doesn’t belong.
  • Chrome, Safari, Internet Explorer, and most robust secure browsers have built-in security features that help detect and block reflected XSS. Older browsers may not have this feature.
  • NordVPN’s Cybersec feature provides an extra layer of digital kevlar – our continuously updated blacklist of malicious sites will stop you before you unintentionally trigger an infection.

Take advantage of every opportunity to strengthen your online security. Subscribe to NordVPN today and get a 30-day money back guarantee.


Charles Whitmore
Charles Whitmore successVerified author

Charles is a content writer with a passion for online privacy and freedom of knowledge. A technophile with a weakness for full Smart Home integration – he believes everyone should strive to keep up-to-date with their cybersec.


Subscribe to NordVPN blog