Loading ...

HTTPCSEuropean cybersecurity leader

| About us

Cross-Site Scripting (XSS) vulnerability

What is an XSS vulnerability and how to prevent it?

An XSS (also known as Cross-Site Scripting) is a vulnerability that allows code injection (any language interpreted by a browser) into a website to change its way of displaying. It is mostly due to programming errors or too much confidence in a user's inputs.

14 days Free trial

No Commitment

No Credit Card

OWASP ranking

What is a Cross-Site Scripting vulnerability ?

There are two types of XSS vulnerabilities : Reflected XSS (or non-persistent) and Stored XSS (or persistent).

An XSS vulnerability would allow an individual to :


  • Make redirections in order to perform phising

  • Steal informations (Cookies, sessions ...)

  • Perform actions on the vulnerable site without the victim's knowledge


Security flaws

Reflected XSS (or non-persistent)

It is called non-persistent because it is not stored in a file or in a database. This type of XSS vulnerability does not store malicious content on the web server. For example, the content is delivered to the victim via a URL that contains it (sent by email or by other means).

Most web browsers have integrated in their latest versions an anti-XSS filter (Chrome, IE, Safari, Opera, Edge). It analyzes the rendering of a page sent by the server and removes any occurrence of javascript that would also be present in the client request. This protects users from a Reflected XSS but not from a Persistent XSS.

Example :

You are browsing a site allowing you to see the weather forecast for a given city. The name of the city is provided in the URL of the page via a parameter "GET", like this way: www.meteo.com/previsionsmeteo?ville=Montpellier

The forecast for the city of Montpellier will be displayed on the page returned by the server of the weather website. The hacker can use the same URL to provide malicious content like this way: www.meteo.com/previsionsmeteo?ville=Montpellier<script>alert(document.cookie) ;</script>

With such content in the URL, the web server will therefore display the weather forecast for Montpellier, but will potentially also include dangerous content in the page.

Stored XSS (or persistent)

The persistent XSS vulnerabilty is the most dangerous one because it will be executed each time the site is loaded. In fact, the latter is stored either in a file or in a database. Let us take for example a discussion forum.
The attacker posts a message or comment containing malicious content. When other users visit the page, containing the fraudulent message or comment, this one is executed.

You are browsing a site allowing you to see the weather forecast for a given city. The name of the city is provided in the URL of the page via a parameter "GET", like this way: www.meteo.com/previsionsmeteo?ville=Montpellier

The forecast for the city of Montpellier will be displayed on the page returned by the server of the weather website. The hacker can use the same URL to provide malicious content like this way: www.meteo.com/previsionsmeteo?ville=Montpellier<script>alert(document.cookie) ;</script>

With such content in the URL, the web server will therefore display the weather forecast for Montpellier, but will potentially also include dangerous content in the page.

Secure your sites

How to protect you against Cross-Site Scripting vulnerabilities?

The most suitable solution against this vulnerability is to use the “htmlspecialchars()” function. This function allows to filter icons such as <, & or ", replacing them by their equivalent in HTML language. For instance :

  • The symbol & becomes &amp;
  • The symbol " becomes &quot;
  • The symbol ' becomes &#39;

You can also use PHP function "htmlentities ()": Converting characters into entities is often used to prevent browsers from using it as an HTML element. This can be particularly useful for preventing code execution when users can access to the display entry on a page.

Web Vulnerability Scanner of HTTPCS

How to detect TOP 10 OWASP vulnerabilities?

Detect security flaws on your website or web application thanks to the Web Vulnerability Scanner of HTTPCS. This online security tool allows you to detect any flaws you have (top 10 OWASP, CVE and other vulnerabilities implemented in the robot) to ensure the best protection of your site on a daily basis. Easily schedule automated audits, discover your vulnerabilities and find out what patches to apply to avoid being hacked.

Test for free the XSS Scanner

14 days Free trial

No Commitment

No Credit Card