Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Reflected Cross-Site Scripting (XSS)

Author: Government Digital Service (GDS)

Reflected Cross-Site Scripting (XSS)

What this means

Reflected Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a website, which are then reflected back to users through:

  • manipulated URLs
  • form inputs
  • HTTP headers

For an XSS attack to work, an attacker must be able to insert and execute malicious content in a webpage (for example, in an email or social media post) that executes when the victim follows a link. The script then executes in the victim’s browser.

Why this is a problem

XSS attacks allow hackers to:

  • steal session cookies
  • redirect users to fake login pages
  • deface websites
  • perform other malicious actions

Some of the risks associated with XSS attacks are:

  • session hijacking – attackers can steal authentication cookies and impersonate users
  • phishing attacks – victims may be tricked into entering credentials on a fake login page
  • malware distribution – XSS can be used to deliver payloads such as keyloggers or trojans
  • defacement and content injection – attackers can modify online content to spread misinformation
  • data theft – sensitive user data, like payment details or personal information, can be stolen

How to check if the problem is there

XSS flaws are difficult to detect. Currently the best way to find them is to perform a security review of the code and evaluate HTTP input requests.

How to fix this

To prevent and protect against XSS attacks, a developer should:

  • validate and sanitise user input – allow only expected predefined input formats and characters
  • encode output properly – encode user input before displaying it in HTML, JavaScript, URLs or attributes
  • use HTTP security headers – implement Content Security Policy (CSP) to restrict script execution sources
  • use Web Application Firewalls (WAF) – deploy a WAF to detect and block XSS attack patterns in real time
  • regularly update and patch software – update frameworks and libraries  to mitigate XSS risks
  • implement secure coding practices and conduct security testing – perform penetration testing and automated security scans, and integrate Static Application Security Testing (SAST) tools in Continuous Integration and Continuous Delivery or Deployment (CI/CD) pipelines
  • apply preventive best practices

Preventative best practices include:

  • using security frameworks (for example, Django’s escape(), Laravel’s e() or Spring Security in Java)
  • disabling unnecessary browser features using security headers
  • educating developers on secure coding principles and XSS prevention

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now