How To Stay Protected From XSS Attacks In 2021?





People from all over the globe use the internet for various purposes. From students using it for their school projects to professionals using it to make presentations, the internet is involved in our life one way or the other. A lot of information is available on the internet on various websites. With more than 1.88 billion websites accessible the users have a wide range to choose from. With that being said, over the years there has been a threat that has constantly loomed over the internet, cybercrimes. One of the most common ways to conduct cybercrime is phishing through an XSS vulnerability. 

In this article, we will talk about XSS and what are the best XXS practices that you can implement to stay clear from this threat. 

What is XSS?

XSS is also known as Cross-Site Scripting, is a web security vulnerability that helps an attacker to take control over the interactions that the user has with a targeted application. It is a type of injection attack that injects malicious codes into safe websites. XSS attacks generally target the application’s users directly rather than targeting the application’s host itself. A successful XSS attack can have devastating consequences for an online business's reputation and customer relationship.

Types of XSS Attacks 

Here is a list of some common types of XSS attacks-

1. Stored (Persistent) Cross-Site Scripting

Stored cross-site scripting attacks happen when attackers store their payload on a compromised server. This causes the website to inject malicious codes into other visitors. This is the most common and most dangerous type of cross-site scripting as this method only requires an initial action from the attacker and can compromise other users afterwards. Examples of stored cross-site scripting include the profile fields such as your phone number or email which are displayed on your account page. 

2. Reflected Cross-Site Scripting

This kind of attack occurs when the payload is stored in the data sent from the browser to the server. A common example of reflected cross-site scripting is a search form. Attackers usually send victims custom links that direct users to a vulnerable page. With the help of this page, the attackers employ a variety of methods to trigger their proof of concept. 

3. Self Cross-Site Scripting

Self cross-site scripting happens when the attackers exploit an XSS vulnerability that requires manual changes and extremely specific context. The user is the only victim of this attack. These specific changes may include things like setting your information or cookie values information to a payload.

4. Blind Cross-Site Scripting

In these kinds of attacks, the vulnerability commonly lies on a page where access is only given to authorized users. This method requires more preparation to successfully launch an attack as the attackers can't see the result of an attack. To successfully execute an attack, hackers will often use polyglots. These polyglots are created to work into many different scenarios, such as plain text, a script tag, or an attribute.

5. DOM-Based Cross-Site Scripting

DOM-based cross-site scripting attacks happen when the JavaScript is vulnerable to XSS rather than the server itself. Arguments in the URL can be used to modify the page after it has been loaded, as JavaScript is used to add interactivity to the page. Attackers can add malicious code to a page with the help of modifying the DOM when it doesn’t sanitize the values derived from the user. 

What can XSS be used for?

XSS can be used for the following reasons-

  1. Carry out any action that the user can perform.
  2. Impersonate or masquerade as the victim user.
  3. Capture the user's login credentials
  4. Read any data that the user can access
  5. Inject Trojan functionality into the website.
  6. Perform virtual defacement of the website

Best Practices to Prevent Cross-Site Scripting Attacks

Some of the XSS best practices are as follows-

1. Allowlist Values

This practice ensures that only safe and known values are sent to the server and restricts user input to a specific allowlist. Restricting user input only works if you know what data you will receive. The data should not be practical for custom user content such as the content of a drop-down menu.

2. Avoid and Restrict HTML in Inputs

HTML should be limited to trusted users even if it might be needed for rich content. Users should consider using different ways to generate the content such as Markdown to allow styling and formatting on an input. Make sure to sanitize HTML by using a reliable sanitizer such as DOMPurify to remove all unsafe code.

3. Sanitize Values

Always ensure that using user-generated content to a page will not result in replacing unsafe characters with their respective entities in the HTML content. Entities look similar to regular characters but cannot be used to generate HTML.

4. Use HTTPOnly Flags on Cookies

It is a mechanism that allows a website to recognize a user between requests, and attackers often steal admin sessions by exfiltrating their cookies. Attackers can then log in to their account without authorized access or credentials once a cookie has been stolen. To make it harder for an attacker to steal the session, use HttpOnly cookies to prevent JavaScript from reading the information of the cookie. 

Note: This method only protects cookies to be read by the attackers. Attackers still can send requests while acting as admin users with the use of active browser sessions.

The method is only useful when relying on cookies as the main identification mechanism.

5. Use a WAF to Protect against Cross-Site Scripting Attacks

A firewall can be used to virtually patch attacks against a website. This method intercepts attacks such as RCE, SQLi, and XSS before malicious requests ever even reach a website. It also protects against large-scale attacks such as Distributional Denial Of Service (DDOS).


Cross-Site Scripting or XSS is a very common type of cyber attack which can be used to get access to a person's information. Users can implement the safety measures that are listed in this article to prevent XSS attacks and browse safely on the internet. With the constant development in technology, we can expect some better prevention methods to come out in the future to protect users from these frequent security attacks.

Latest Articles