{"id":53383,"date":"2014-07-14T08:03:54","date_gmt":"2014-07-14T08:03:54","guid":{"rendered":"https:\/\/www.checkmarx.com\/?post_type=glossary&p=8773"},"modified":"2026-04-10T17:59:07","modified_gmt":"2026-04-10T15:59:07","slug":"cross-site-scripting-xss-attacks","status":"publish","type":"glossary","link":"https:\/\/checkmarx.com\/glossary\/cross-site-scripting-xss-attacks\/","title":{"rendered":"Cross-Site Scripting (XSS) Attacks: Types, Examples & Prevention"},"content":{"rendered":"

Definition (developer\u2011friendly)<\/strong><\/h2>\n\n\n\n

Cross\u2011site scripting (XSS) is a client\u2011side injection flaw where untrusted input is rendered in the browser without proper contextual output encoding or policy controls, allowing attacker\u2011supplied scripts to execute in a victim\u2019s session. That execution can hijack sessions, alter DOM, exfiltrate data, or pivot to additional attacks.<\/p>\n\n\n\n

 <\/p>\n\n\n

\n
\"Cross-Site
Cross-Site Scripting (XSS) Attack Example<\/figcaption><\/figure>\n<\/div>\n\n\n

<\/span><\/wp-block><\/b><\/p>\n\n\n\n

How XSS works (and why Devs still hit it)<\/h2>\n\n\n\n

IAt a high level, XSS happens when data from a request, database, message queue, template, or third\u2011party library reaches a dangerous sink<\/strong> (e.g., innerHTML<\/code>, inline event handlers, document.write<\/code>, JS string concatenation inside <script><\/code>, or URL\/attribute contexts) without context\u2011appropriate encoding. Common XSS classes: Reflected<\/strong> (non\u2011persistent), Stored<\/strong> (persistent), and DOM\u2011based<\/strong> (client\u2011side routing\/DOM manipulation).<\/p>\n\n\n\n

Types of XSS (with quick developer cues)<\/h2>\n\n\n\n

Reflected XSS<\/strong><\/h3>\n\n\n\n


Symptom:<\/em> Unsanitized input reflected immediately in a response.
Where it hides:<\/em> Search results, error messages, query\u2011param echoes.<\/p>\n\n\n\n

Stored XSS<\/strong><\/h3>\n\n\n\n


Symptom:<\/em> Payload persists in data stores and is served later to other users.
Where it hides:<\/em> Comments, user profiles, CMS fields, issue descriptions.<\/p>\n\n\n\n

DOM\u2011based XSS<\/strong><\/h3>\n\n\n\n


Symptom:<\/em> Client\u2011side code reads untrusted data and injects it into the DOM or JS context at runtime (no server\u2011side template involvement).
Where it hides:<\/em> SPA routers, client\u2011side templating, ad hoc DOM updates.<\/p>\n\n\n\n


Harden with CSP and Trusted Types<\/strong> to break common DOM injection paths.<\/p>\n\n\n\n

Preventing XSS (defense\u2011in\u2011depth)<\/h2>\n\n\n\n

1) Encode on output (by context).<\/strong>
Always apply context\u2011aware encoding for HTML body, attribute, URL, CSS, and JS contexts – ideally via your framework\u2019s auto\u2011escaping. Avoid blacklist \u201cfilters.\u201d Encode late (right before render).<\/p>\n\n\n\n

2) Prefer safe DOM APIs.<\/strong>
Use textContent<\/code>\/setAttribute<\/code> over innerHTML<\/code>, avoid inline event handlers, and never concatenate untrusted data into <script><\/code> blocks. For rich HTML, use a vetted sanitizer and keep allowed tags minimal.<\/p>\n\n\n\n

3) Enforce Content Security Policy (CSP)<\/strong>.<\/strong>
Start with default-src 'self'<\/code>, forbid unsafe-inline<\/code> by using nonces\/hashes, and disable legacy features like object-src 'none'<\/code>. CSP drastically reduces the blast radius of missed encodings and blocks many injected scripts.<\/p>\n\n\n\n

4) Add Trusted Types<\/strong> for DOM XSS.<\/strong>
Trusted Types block assignments to risky sinks (e.g., innerHTML<\/code>) unless values come from a registered policy. Combine with CSP\u2019s require-trusted-types-for 'script'<\/code> to stop entire classes of DOM\u2011based XSS.<\/p>\n\n\n\n

5) Harden cookies & session handling.<\/strong>
Use HttpOnly<\/code>, Secure<\/code>, and SameSite<\/code> cookies to limit token theft paths; pair with short\u2011lived tokens and strict authorization checks. (Best practice that complements CSP\/encoding.)<\/p>\n\n\n\n

6) Test continuously across SDLC.<\/strong><\/p>\n\n\n\n