Cross site scripting

From Citizendium
Jump to navigation Jump to search
This article is developing and not approved.
Main Article
Definition [?]
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and subject to a disclaimer.

Cross site scripting (XSS) is a programming flaw that allows attackers to inject arbitrary script into a web site. There are two main types of cross site scripting - stored and reflected. DOM based cross site scripting is a third type of cross site scripting.

Stored Cross Site Scripting

Stored cross site scripting involves a persistent script that an attacker can inject into a web application that is served to other requesters of a web page. A typical example of a stored XSS occurs when a malicious script is stored in a database that is used to compose page content for site visitors. This results in every site visitor requesting pages composed of database data containing malicious script.

Reflected Cross Site Scripting

Reflected cross site scripting is a vulnerability that results when malicious scripts in request parameters are used to compose page responses in web applications. Reflected XSS does not persist, but is still useful for attackers who can obfuscate parameters and perform trust exploitation attacks.


Cross site scripting flaws can be used to expose and steal cookies from victim's browsers. This could lead to credential exposure or account hijacking. Additionally, XSS flaws might allow an attacker to utilize same domain origin to carry out complex cross site request forgery (XSRF). This vector might even allow attackers to bypass XSRF protections.