Techie Weblog

Web Hosting & Network Security Guide

HostGator Web Hosting

How to Protect from XSS Attack

If you like the post, Please Share


How to Protect from XSS Attack

How to Protect from XSS Attack

What is XSS

How to Protect from XSS Attack

How to Protect from XSS Attack

XSS stands from Cross Site Scripting. According to Wikipedia, Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

What is XSS Attack

The Cross-Site Scripting (XSS) attack is a special type of script injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. When attackers successfully exploit XSS vulnerabilities in a web application, they can insert script that gives them access to end users’ account credentials. Attackers can perform a variety of malicious activities, such as:

  • Hijacking account.
  • Spreading web worms or malware.
  • Accessing browser history and clipboard contents.
  • Controlling the browser remotely.
  • Scanning and exploiting intranet appliances and applications.

We can classify XSS in these three flavors: non-persistent XSS, persistent XSS, and DOM-based XSS.

1. Non-Persistent Cross-site scripting attack

Non-persistent XSS which is also known as reflected cross-site vulnerability, is the most common type of XSS. In this attack, data injected by attacker is reflected in the response. A typical non-persistent XSS contains a link with XSS vector.

2. Persistent cross-site scripting attack

Persistent cross-site scripting which is also known as stored cross-site scripting, occurs when XSS vectors are stored in the website database and executed when a page is opened by the user. Whenever you open the browser, the script executes. The script will automatically execute whenever the user opens the page to see the content, so Persistent XSS is more harmful that non-persistent XSS.

3. DOM-based cross-site scripting attack

DOM-based XSS which is also sometimes called “type-0 XSS”,  occurs when the XSS vector executes as a result of a DOM modification on a website in a user’s browser. In client’s machine, the HTTP response does not change but the script executes in malicious manner. This is the most advanced and least-known type of XSS. This type of vulnerability always exists because developers do not understand how it works.

How to Protect from XSS Attack

Taking protection from XSS attack means that you follow good coding practice by running sanity checks on your input to your routines. There are three general approaches to protect from cross-site scripting attacks.

1. Encode Output based of input parameters.

To protect from  XSS attacks, an application needs to ensure that all variable output in a page is encoded before being returned to the end user using any encoding mechanism. Encoding variable output substitutes HTML markup with alternate representations called entities. The browser displays the entities but does not run them. For example, <script> gets converted to &lt;script&gt;. These are the main data that must be properly sanitized before being used on your website.

  • The URL
  • HTTP referrer objects
  • GET parameters from a form
  • POST parameters from a form
  • Window.location
  • Document.referrer
  • document.location
  • document.URL
  • document.URLUnencoded
  • cookie data
  • headers data
  • database data, if not properly validated on user input

2. Filter input parameters for special characters.

This technique is akin to filtering input except that characters are filtered that are written out to the client. While this can be an effective technique, it may present a problem for Web pages that write out HTML elements. As for example, we writes out <TD> elements, a generic function that removes the special characters would strip the < and > characters, which ruins the <TD> tag. Therefore, in order for this technique to be useful, we would only filter data passed in or data that was previously entered by a user and stored in a database.

3. Filter output based on input parameters for special characters.

In this protection method, encode data that is received as input when you write it out as HTML. This technique is effective on data that was not validated for some reason during input. By using techniques such as URLEncode and HTMLEncode, you can prevent malicious script from executing in Active Server Pages (ASP). Here, HTMLEncode on the string that is about to be displayed will prevent any script in it from being executed and thus prevents the problem. Details can be found in Microsoft Site.

More Solutions of “How to Protect from XSS attack”

Besides, you can use the following Open Source Libraries to protect from XSS Attacks


This is a PHP library that automatically detects the encoding of the data that must be filtered.

xss_clean.php filter

This is a strong XSS filter that cleans various URF encodings and nested exploits.

HTML Purifier

This is a standard HTML filtering library written in PHP which removes all malicious code from the input and protects the website from XSS attack.


This is a library that creates the HTML tag tree of the webpage. Then it parses the page and matches all tags. After that, it calls the filter interface to filter improper HTML attributes and XSS attacks.


It is a simple single-class utility for JAVA that can be used to properly sanitize user input against cross-site scripting and malicious HTML code injection.

***How to Protect from XSS Attack***

The Author

Sukanta Dutta

The author is writing technical blog for last few years. He shares his knowledge on Computer Networks, Database Technologies, Security Aspects of Network and Database etc. He also likes to hear from the reader of this blog to learn more, so he welcomes guest writing for this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Techie Weblog © 2015-2018