Cross-site Scripting and its variants explained

Cross-site Scripting (XSS) has been making the Top 5 list of exploitable vulnerabilities since it was first discovered way back in the 1990s. The term XSS refers to a client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS is notoriously amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

For an in depth analysis of Cross-site Scripting, you may read the full article on Cross-site Scripting (XSS) which explains exactly how it works, what an attacker can do with such a vulnerability, as well as including some examples of Cross-site Scripting attack vectors.

Read the full article on Cross-site Scripting.

Types of XSS

Since its inception in 1990, XSS has evolved and it can now be classified into three major categories – Stored XSS, Reflected XSS and DOM-based XSS. Read the article on Types of XSS which gives you an indepth explanation of these 3 types of XSS and the effects they may have on your website.

Read the full article on types of XSS

XSS in the real world

In March 2015, Acunetix issued a Web Application Vulnerability Report referring to the analysis of the results of over 15,000 scans performed using Acunetix Online Vulnerability Scanner over the previous 12 months. The studies showed  Cross-Site Scripting (XSS) topping the list of vulnerabilities with a significant 38% of websites being vulnerable to an XSS attack. 95% of these XSS vulnerabilities involved Reflected Cross-site scripting, with 5% being made up of DOM-based and Stored XSS.

XSS vs blind XSS

Identified Cross-site Scripting (XSS) vulnerabilities

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.