Back to Blog
Vulnerability Prevention

Cross-Site Scripting (XSS) Attacks: Detection and Prevention

SecuraProbe TeamDecember 22, 20257 min read

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities, consistently ranking in the OWASP Top 10. XSS attacks occur when malicious scripts are injected into web pages viewed by other users. These scripts can steal cookies, session tokens, or other sensitive information, deface websites, or redirect users to malicious sites.

Why XSS is Dangerous

XSS attacks can lead to session hijacking, identity theft, and unauthorized access to user accounts. Attackers can execute actions on behalf of users, potentially compromising entire applications.

Types of XSS Attacks

Reflected XSS

High

The malicious script is reflected off a web server, typically in error messages or search results.

User input is immediately displayed without sanitization.

Stored XSS

Critical

The malicious script is permanently stored on the target server (database, comments, profiles).

User-submitted content is stored and displayed to other users.

DOM-based XSS

High

The vulnerability exists in client-side code, where JavaScript modifies the DOM unsafely.

JavaScript reads data from URL parameters and writes it to the page.

XSS Attack Examples

Reflected XSS Example

// Vulnerable code
const searchTerm = req.query.q;
res.send(`<h1>Search results for: ${searchTerm}</h1>`);

// Attack payload
// URL: /search?q=<script>alert('XSS')</script>
// Result: Script executes in victim's browser

Stored XSS Example

// Vulnerable code
const comment = req.body.comment;
db.comments.save({ text: comment });
// Later displayed without sanitization

// Attack payload
// Comment: <img src=x onerror="stealCookies()">
// Result: Script executes for all users viewing the comment

Prevention Strategies

1. Output Encoding / Escaping

Always encode user input before displaying it. Use context-appropriate encoding:

  • HTML context: Use HTML entity encoding (< → &lt;)
  • JavaScript context: Use JavaScript encoding
  • URL context: Use URL encoding
  • CSS context: Use CSS encoding

2. Content Security Policy (CSP)

Implement CSP headers to prevent XSS by controlling which resources can be loaded:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';

3. Input Validation

Validate and sanitize all user input on the server side:

  • Whitelist allowed characters and patterns
  • Reject input that contains script tags
  • Use libraries like DOMPurify for HTML sanitization

4. Use Safe Frameworks

Modern frameworks like React, Vue, and Angular automatically escape content, but always use their templating systems correctly. Never use dangerouslySetInnerHTML without sanitization.

Secure Coding Examples

❌ Vulnerable Code

// DANGEROUS - Direct string interpolation
const userInput = req.body.comment;
document.getElementById('content').innerHTML = userInput;

✅ Secure Code

// SAFE - Use textContent or proper encoding
const userInput = req.body.comment;
const encoded = escapeHtml(userInput);
document.getElementById('content').textContent = encoded;

// Or use framework's built-in escaping
// React: <div>{userInput}</div> // Automatically escaped
// Vue: {{ userInput }} // Automatically escaped

Detection with SecuraProbe

SecuraProbe automatically detects XSS vulnerabilities in your web applications:

  • Tests for reflected XSS in URL parameters and form inputs
  • Identifies stored XSS in user-generated content
  • Detects DOM-based XSS vulnerabilities
  • Validates CSP implementation

Test Your Application for XSS Vulnerabilities

Use SecuraProbe to automatically scan your web applications for XSS and other security vulnerabilities.

Start Free Trial