7 Ways You Are Vulnerable to XSS

xss attackCross-site scripting (XSS) attacks aren’t new. They have been around for over twenty years and have penetrated the defenses of major sites like Google, Facebook and even Yahoo. The goal of a cross-site scripting attack can be to steal data, control a session of a user, or as one part of a larger phishing scam. In order to be successful in these goals, hackers use different types of attacks.

Any site that accepts data from an outside user is vulnerable to a XSS attack, but some specific ways your site may be vulnerable include Ajax, images, password issues, title tags, style tags, and misconceptions regarding termination of a HTML string.

[Suggested reading: Is Hacking an Inside Job?]

1. Ajax

Ajax is the term used for code that combines Java Script and XML. It introduces subtle exploitation of your website. Ajax is complex and offer multiple variations of ways users can interact with a site. The way that hackers infiltrate a site that uses Ajax is subtle as well and difficult to detect. If your site uses Ajax, you may be vulnerable to XSS attacks, and may have even been victim of a hacker without realizing it.

2. Images

Inserting images into different locations on your site may make it vulnerable to XSS. There are several different aspects where this vulnerability can occur. Image tags, JavaScript code inserted into the tag, and the code used to insert an image onto a site are just some of the ways you can leave your site open to cross-site attack. When using images for your website, you need to take steps to close any vulnerability that can leave you exposed.

3. Cross-Site

This most basic type of attack is just a useful to hackers now as it was in the 1990’s when hackers first discovered and used these vulnerabilities on unsuspecting websites. This vulnerability allows a hacker to inject code because the website accepts information from a location other than the server with the same level of acceptance as if it was the server.

[Recommended reading: Is Getting Hacked Ever A Good Thing?]

4. Password Issues

When users are able to create their own passwords, they often leave sites open to attack. That is because most users don’t understand how to create a secure password. Often, the phrases they create leave openings for hackers to interject code and hijack the password and thus gain access to the website as if he or she was the user.

5. HTML String

There is a misconception created when coding that when a HTML string is used it needs a specific character to end the string. That character is usually a “;”, and if it is absent in a website, the program may not understand that the code is complete. Hackers can take advantage of this by adding their code into the HTML string and gain access.

6. Title Tags

When JavaScript is used in title tags, they can leave the site vulnerable to attack. Unless the website owner closes this vulnerability a malicious person can use to their advantage. Website owners need to be careful when creating title tags.

7. Style Tags

As with title tags, style tags with JavaScript can also create issues for a website that can be used to interject malicious code.

When creating a website, webmasters and programmers need to be aware of the potential vulnerabilities for cross-site attacks and know how to prevent it. Tags, images, passwords, HTML strings, and Ajax can make put a site at risk for XSS but there are other potential vulnerabilities as well. By eliminating these issues, either during programming or after launch, will help to make your website more secure.

[Recommended reading: Security and Penetration Testing – A Case Study]

About the Author: Fergal Glynn is the Director of Product Marketing for ways to prevent XSS with Veracode.com, an award-winning application security company specializing in secure SDLC and other security breaches with effective risk assessment tools.

[Image via siliconrepublic.com]


  1. Jafar Dhada
  2. Ashwani Kumar Singh
  3. Ray
    • Peter Lee
  4. Pramod
    • Peter Lee
  5. Steven