What’s Cross-Site Scripting (XSS), & Why It Is A Security Threat

Chris Hoffman 25-07-2012

cross site scriptingCross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June 2012. While most people have heard of computer viruses A Brief History Of The 5 Worst Computer Viruses Of All Time The word "virus" and its association with computers was affixed by American computer scientist Frederick Cohen who used it to describe "a program that can 'infect' other programs by modifying them to include a possibly... Read More and other such problems, XSS vulnerabilities remain unknown to the average person.


A cross-site scripting vulnerability allows an attacker to execute arbitrary JavaScript code (from another site) on a web page. The code executes on the web page in the user’s browser.

An Example – The Twitter StalkDaily Worm

Let’s take a look at an XSS attack that occurred in the past with Twitter How to Use Twitter Twitter can be overwhelming at first, but we're here to help you make sense of it. Here's a complete guide to using Twitter and understanding how it works. Read More . In 2009, the StalkDaily worm What Is The Difference Between A Worm, A Trojan & A Virus? [MakeUseOf Explains] Some people call any type of malicious software a "computer virus," but that isn't accurate. Viruses, worms, and trojans are different types of malicious software with different behaviors. In particular, they spread themselves in very... Read More proliferated throughout Twitter. When a Twitter user visited an infected user’s profile page, their profile page also became infected, spreading the worm. The worm also sent out tweets from each infected account.

So, how exactly did the StalkDaily worm work? Did someone hack Twitter’s web servers? Not quite – although it was a sort of hack.

Each Twitter user can set a short bio on their profile page. Users enter text in a profile box and, once they save the profile, the text appears on their profile page. Someone realized that Twitter didn’t properly sanitize the text input from the bio box (we’ll get to this later) – it just placed the text users entered directly into the web page’s source code. This allowed a user to enter an HTML <script> tag that loads a JavaScript file from a third-party web server.

cross site scripting


When another Twitter user visited the infected profile page, their browser loaded the script. The script had full access to everything the official Twitter code used on the page – so the script was able to ask for the user’s Twitter cookie (which stores the user’s login state) and username from the browser. The script then sent this information back to the third-party web server. With these details, the third-party web server could authenticate as the Twitter user, modify the user’s bio to spread the worm, and send tweets from the user’s account.

How Developers Can Prevent XSS Attacks

One simple rule allows web developers How To Tell If Someone Is a Good Web Developer For Your Project Picking someone to build a website for you is not an easy task. Even if you are not building the next Gmail, you should be doing things right the first time. But picking a good... Read More to prevent cross-site scripting attacks: Don’t trust any input that comes from users. For example, in Twitter’s case, they shouldn’t have trusted the text users entered into their bio boxes. Twitter should have taken the text and “sanitized” or “escaped” it – for example, <script> should be changed into &lt;script&gt; – it will appear as <script> on the page, but won’t run as HTML code.

Similarly, an online shopping website like Amazon Prices Drop Monitor Allows You To Snag Any Deal On Amazon Great values in their premium services, like Amazon Prime, keep millions of shoppers coming back. It can be painstaking to window shop every other day and wait patiently for the right deal to come around.... Read More shouldn’t trust user-submitted reviews – it should sanitize all review text to ensure it’s safe.

cross site scripting attacks


There are other methods developers can use to mitigate against XSS attacks, as well – for example, the W3C Content Security Policy specification allows web developers to restrict a web application to only load scripts from specific URLs. Developers can also set HttpOnly for their cookies, which prevents scripts from accessing them.

XSS Plus Other Vulnerabilities

XSS attacks can be extra dangerous when coupled with other vulnerabilities. For example, an XSS attack can load a script that exploits a security vulnerability in a web browser or plug-in Browser Plugins - One of the Biggest Security Problems on the Web Today [Opinion] Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser... Read More such as Flash or Java. If an attacker compromised a product review page on an online store’s website, the attacker could load code that exploits the vulnerability, and compromise every unpatched computer that views the product page. This makes it particularly important for developers to secure their websites against XSS attacks.

How You Can Prevent XSS Attacks

If you’ve gotten to this point, you’re probably wondering just what you – as a user – can do to prevent XSS attacks. The bad news is that, for the most part, web developers are the ones that need to get this right. However, there are still some things you can do:

cross site scripting


Have you had any experience with XSS attacks? Leave a comment and share your experience – if you have any questions about XSS vulnerabilities, we’d be happy to answer those, too.

Image Credit: 3D Communication Concept via Shutterstock

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Sire
    December 18, 2014 at 12:54 pm

    hey chris, thanks a lot for taking time out and giving us a huge heads up with issues such as these that affects us one and all. Good looking out bro, until ur next post. happy holidays

  2. vineedcool
    August 2, 2012 at 1:42 pm

    den will u make article about SQL injection???i whould like to learn about that!!!

    • Chris Hoffman
      August 7, 2012 at 7:10 am

      Sounds like a good idea to me!

  3. ecd4a4d35dce1b96560e85a8ce64f578
    July 27, 2012 at 2:55 am

    Glad that you are bringing information like this to the public. Awareness helps. :)

    • Chris Hoffman
      August 1, 2012 at 10:19 am

      Very true. XSS vulnerabilities aren't that hard to understand, but people so rarely bother explaining exactly what they are.

      • Andy
        September 16, 2012 at 6:36 pm

        Hi Chris, thanks for this post, I found this the best description of XSS yet :-)

  4. Gian Singh
    July 26, 2012 at 7:23 pm

    interesting, thank you very much.

  5. Shakirah Faleh Lai
    July 26, 2012 at 9:05 am

    Should I disable JavaScrpt entirely like you did?

    • Chris Hoffman
      August 1, 2012 at 10:18 am

      I wouldn't, to be honest -- you can't function very well on the web without javascript these days (some people disagree).

      There are other possible vulnerabilities too -- websites can be vulnerable to SQL injections that compromise the server itself, so that problem can affect you whether you're running JavaScript or not.

      But SQL injections are another article.

  6. Rahul Jain
    July 26, 2012 at 5:52 am

    Nice Article. Does this Twitter vulnerability still exist? Or it has been fixed?

    If left unfixed, It would make sense to access twiiter from clients rather than the site itself.

    • Chris Hoffman
      August 1, 2012 at 10:17 am

      It has been fixed, of course! It's an old one -- they're easily fixed once they're discovered.

  7. Adjei Kofi
    July 25, 2012 at 10:14 pm

    Nice. Facebook also faced this same issue somewhere last year. It had to do with an attacker spreading pornographic content on a user's profile page. Facebook later came to out to say that it was an XSS issue. i didn't understand it then but now I do. Thanks :)

    • Nolan Quigley
      July 26, 2012 at 1:19 am

      Did Facebook ever fix the XSS problem, as explained in example 1?

      • Chris Hoffman
        July 26, 2012 at 5:31 am

        I would bet so -- these problems are easily fixed once discovered, but there are probably other XSS vulnerabilities elsewhere on Facebook, sadly.