View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Why Everyone Needs to be Aware of Cross-Site Scripting Attacks

Cross-site scripting attacks are soaring - and strikingly inconspicuous. Here's what to look out for.

By CBR Staff Writer

What is a Cross-Site Scripting attack?

A cross-site scripting attack (also known as XSS) abashes many of the most sophisticated security defences we have to date. A general internet user can be caught out by its striking inconspicuousness: by simply clicking on an email link, or any link on a website for that matter your data could be in serious jeopardy.

Will this really affect me?

According to Guy Podjarny, CEO of the open source security firm, occurrences of XSS attacks grew by nearly 40% in Q1 of 2017 and shockingly “XSS prevalence is consistently high—since 2012 around 50% of all website vulnerabilities are XSS”.

This means that XSS is a big deal for every type of user and therefore understanding how it works and the measures that one can take to avoid it is crucial.

How does XSS work?

Simply put, XSS uses your browser to infiltrate your data, through exploiting websites that have not properly ensured that such data is not malicious (formally known as input sanitisation). A concrete example of this can be seen in the following URL:

Focusing on the segment of the URL ‘userInput’, this is where an attacker can place a malicious script such as:

Once a user clicks on such a URL, the user’s browser (which contains sensitive data about the user) can then be forwarded onto the attacker’s computer, leading to the theft of passwords and other such sensitive data.

Content from our partners
Why all businesses must democratise data analytics
How start-ups can take the next step towards scaling up
Unlocking the value of artificial intelligence and machine learning

How can I avoid this!

One simple way to avoid this, is to thoroughly check the URL’s that you click on when either browsing the web or in emails. Given a URL such as:, a user should be cautious as it very likely than an attacker is trying to trick a user into believing they are navigating to Google.

In relation to emails, the same principle can be used within the context of an email address. Furthermore, email addresses such as are very likely not to be from your official account with Apple!

Does this mean I am safe now?

No, but it means that you are less susceptible to being a victim of an XSS attack. Being aware of the simple principles discussed earlier are a fantastic first step in both raising awareness of this attack and subsequently dispelling the misconception that a firewall and antivirus can prevent such attacks (they help but cannot guarantee safety).

I would like to learn more about this

Despite the simple yet effective measures one can take to reduce the likelihood of a XSS attack, it is still quite a technical subject. With this in mind, the technically inclined can access a whole host of resources relating to the subject on OWASP (Open Web Application Security Project) which breaks down the subject into further detail [2].

Meanwhile: be careful of what you click!

See also: Tech Giants: We Won’t Help Gov’t Cyber Attacks


Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy