Cross-Site Scripting (XSS): The Silent Threat in Everyday Browsing

Rahul Kumar
Rahul Kumar
Intern - Policy & Advocacy, CyberPeace
PUBLISHED ON
Sep 1, 2025
10

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

How Does XSS Work?

  1. Injection: A malicious user submits code through a website input, like a comment or form.
  2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
  3. Exploitation: The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:  

  • Accepting trusted input from the users.  
  • After users' input, web pages have the strings embedded without any sanitisation.  
  • Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  

<script>alert('XSS');</script>  

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

  • Copy session tokens through hidden HTTP requests.  
  • From attacker-controlled domains, load attacker scripts.  
  • Change the DOM structure to show fake login forms for phishing.

Types of XSS Attacks

XSS (Cross-Site Scripting) attacks can occur in three main variations: 

  1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
  2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
  3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

What Makes XSS a Threat?  

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following:  

  • Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
  • Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
  • Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
  • Website Vandalism. Modified website material lowers the esteem of the brand.  
  • Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

  1. Input Validation and Output Encoding:
  • Ensure input validation is in place on the client and server.
  • Perform output encoding relative to context: HTML: <, >, &

JavaScript: Escape quotes and slashes

  1. Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';
  1. Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:
  • textContent for inserting text.
  • createElement() and other DOM creation methods for structured content.
  1. Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 
  1. Framework Protections: Use the protective features in frameworks such as:
  • React, which escapes data embedded in JSX automatically.
  • Angular, which uses context-aware sanitisation.
  1. Periodic Security Assessments:
  • Use DAST tools to test the security posture of an application.
  • Perform thorough penetration testing and security-oriented code reviews.

Best Practices for Developers

  • Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.
  • Educate developers on OWASP secure coding guidelines.
  • Automate scanning for vulnerabilities in CI/CD pipelines.

Conclusion

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

References

PUBLISHED ON
Sep 1, 2025
Category
TAGS
No items found.

Related Blogs

#FactCheck - AI Generated Photo Circulating Online Misleads About BARC Building Redesign
#FactCheck - AI Generated Photo Circulating Online Misleads About BARC Building Redesign
10
April 6, 2024

Executive Summary:

A photo circulating on the web that claims to show the future design of the Bhabha Atomic Research Center, BARC building, has been found to be fake after fact checking has been done. Nevertheless, there is no official notice or confirmation from BARC on its website or social media handles. Through the AI Content Detection tool, we have discovered that the image is a fake as it was generated by an AI. In short, the viral picture is not the authentic architectural plans drawn up for the BARC building.

Claims:

A photo allegedly representing the new outlook of the Bhabha Atomic Research Center (BARC) building is reigning over social media platforms.

Post link
Post link

Fact Check:

To begin our investigation, we surfed the BARC's official website to check out their tender and NITs notifications to inquire for new constructions or renovations.

It was a pity that there was no corresponding information on what was being claimed.

Website link

Then, we hopped on their official social media pages and searched for any latest updates on an innovative building construction, if any. We looked on Facebook, Instagram and X . Again, there was no information about the supposed blueprint. To validate the fact that the viral image could be generated by AI, we gave a search on an AI Content Detection tool by Hive that is called ‘AI Classifier’. The tool's analysis was in congruence with the image being an AI-generated computer-made one with 100% accuracy.

To be sure, we also used another AI-image detection tool called, “isitai?” and it turned out to be 98.74% AI generated.

Conclusion:

To conclude, the statement about the image being the new BARC building is fake and misleading. A detailed investigation, examining BARC's authorities and utilizing AI detection tools, proved that the picture is more probable an AI-generated one than an original architectural design. BARC has not given any information nor announced anything for such a plan. This makes the statement untrustworthy since there is no credible source to support it.

Claim: Many social media users claim to show the new design of the BARC building.

Claimed on: X, Facebook

Fact Check: Misleading

Unveiling Digital Insights: Navigating the World of Digital Forensics
Unveiling Digital Insights: Navigating the World of Digital Forensics
10
April 22, 2024

Introduction:

Digital Forensics, as the term goes, “It is the process of collecting, preserving, identifying, analyzing, and presenting digital evidence in a way that the evidence is legally admitted.”

It is like a detective work in the digital realm, where investigators use various specific methods to find deleted files and to reveal destroyed messages.

The reason why Digital Forensics is an important field is because with the  advancement of technology and the use of digital devices, the role of Digital Forensics in preserving the evidence and protecting our data from cybercrime is becoming more and more crucial.

Digital Forensics is used in various situations such as:

  • Criminal Investigations: Digital Forensics enables investigators to trace back cyber threat actors and further identify victims of the crime to  gather evidence needed to punish criminals.
  • Legal issues: Digital Forensics might aid in legal  matters involving intellectual property infringement and data breaches etc.

Types of Digital Data in Digital Forensics:

1.Persistent (Non-volatile) Data :-

  • This type of Data Remains Intact When The Computer Is Turned Off.
  • ex. Hard-disk, Flash-drives

2.  Volatile Data :-

  • These types of Data Would Be Lost When The Computer Is Turned Off.
  • ex. Temp. Files, Unsaved OpenFiles, etc.

The Digital Forensics Process

The process is as follows

  • Evidence Acquisition: This process involves making an exact copy (forensic image) of the storage devices such as hard drives, SSD or mobile devices. The goal is to preserve the original data without changing it.
  • Data Recovery: After acquiring the forensic image, the analysts use  tools to recover deleted, hidden or the  encrypted data inside the device . 
  • Timeline Analysis: Analysts use timestamp information from files, and system logs to reconstruct the timeline of activities on a device. This helps in understanding how an incident spanned out and who was involved in it.
  • Malware Analysis: In cases involving  security breaches, analysts analyze malware samples to understand their behavior, impact, and origins. various reverse engineering techniques are used to analyze the malicious code.

Types of tools:

  • Faraday Bags: Faraday bags are generally the first step in digital evidence capture. These bags are generally made of conductive materials, which are used to shield our electronic devices from external waves such as WiFi, Bluetooth, and mobile cellular signals, which in turn protects the digital evidence from external tampering.
  • Data recovery : These types of software are generally used for the recovery of deleted files and their associated data.  Ex. Magnet Forensics, Access data, X-Ways
  • Disk imaging and analysis :These types of softwares are Generally used to replicate the data storage devices and then perform further analysis on it ex. FTKImager, Autopsy, and, Sleuth Kit
  • File carving tools: They are generally used to extract information from the embedded files in the image made. Ex.Foremost, Binwalk, Scalpel

Some common tools:

  • EnCase: It is a tool for acquiring, analyzing, and reporting digital evidence.
  • Autopsy: It is an open-source platform generally used for analyzing hard drives and smartphones.
  • Volatility: It is a framework used generally for memory forensics to analyze volatile memory dumps and extract info.
  • Sleuth Kit: It is a package of CLI tools for investigating disk images and its associated file systems.
  • Cellebrite UFED: It is a tool generally used for mobile forensics.

Challenges in the Field:

  • Encryption: Encryption plays a major challenge as the encrypted data requires specialized techniques and tools for decryption.
  • Anti-Forensic Techniques: Anti-Forensics techniques play a major challenge as the criminals often use anti-forensic methods to cover their tracks, making it challenging to get the digital evidence.
  • Data Volume and Complexity: The large volume of digital data and the diversity of various devices create challenges in evidence collection and analysis.

The Future of Digital Forensics: A Perspective

With the  growth of technology and the vast presence of digital data, the challenges and opportunities in Digital Forensics keep on updating themselves. Due to the onset of new technology and the ever growing  necessity of cloud storage, mobile devices, and the IoT (Internet of Things), investigators will have to develop new strategies and should be ready to adapt and learn from the new shaping of the tech world.

Conclusion:

Digital Forensics is an essential field in the recent era for ensuring fairness in the digital era. By collecting, inspecting, and analyzing the digital data, the Digital Forensics investigators can arrive lawfully at  the prosecution of criminals and the settlement of civil disputes. Nowadays with technology on one hand progressing continuously, the discipline of Digital Forensics will certainly become even more pivotal in the case of investigations in the years to come.

Alarming statistics on Sextortion
Alarming statistics on Sextortion
10
October 20, 2023

Introduction:

The Federal Bureau of Investigation (FBI) focuses on threats and is an intelligence-driven agency with both law enforcement and intelligence responsibilities. The FBI has the power and duty to look into certain offences that are entrusted to it and to offer other law enforcement agencies cooperation services including fingerprint identification, lab tests, and training. In order to support its own investigations as well as those of its collaborators and to better comprehend and address the security dangers facing the United States, the FBI also gathers, disseminates, and analyzes intelligence.

The FBI’s  Internet Crime Complaint Center (IC3) Functions combating cybercrime:

  1. Collection: Internet crime victims can report incidents and notify the relevant authorities of potential illicit Internet behavior using the IC3. Law enforcement frequently advises and directs victims to use www.ic3.gov to submit a complaint.
  2. Analysis: To find new dangers and trends, the IC3 examines and examines data that users submit via its website.
  3. Public Awareness: The website posts public service announcements, business alerts, and other publications outlining specific frauds. Helps to raise awareness and make people become aware of Internet crimes and how to stay protected.
  4. Referrals: The IC3 compiles relevant complaints to create referrals, which are sent to national, international, local, and state law enforcement agencies for possible investigation. If law enforcement conducts an investigation and finds evidence of a crime, the offender may face legal repercussions.

Alarming increase in cyber crime cases:

In the recently released 2022 Internet Crime Report by the FBI's Internet Crime Complaint Center (IC3), the statistics paint a concerning picture of cybercrime in the United States. FBI’s Internet Crime Complaint Center (IC3) received 39,416 cases of extortion in 2022. The number of cases in 2021 stood at 39,360.

FBI officials emphasize the growing scope and sophistication of cyber-enabled crimes, which come from around the world. They highlight the importance of reporting incidents to IC3 and stress the role of law enforcement and private-sector partnerships.

About Internet Crime Complaint Center IC3:

IC3 was established in May 2000 by the FBI to receive complaints related to internet crimes.

It has received over 7.3 million complaints since its inception, averaging around 651,800 complaints per year over the last five years. IC3's mission is to provide the public with a reliable reporting mechanism for suspected cyber-enabled criminal activity and to collaborate with law enforcement and industry partners. 

The FBI encourages the public to regularly review consumer and industry alerts published by IC3. An victim of an internet crime are urged to submit a complaint to IC3, and can also file a complaint on behalf of another person. These statistics underscore the ever-evolving and expanding threat of cybercrime and the importance of vigilance and reporting to combat this growing challenge.

What is sextortion?

The use or threatened use of a sexual image or video of another person without that person’s consent, derived from online encounters or social media websites or applications, primarily to extort money from that person or asking for sexual favours and giving warning to distribute that picture or video to that person’s friends, acquaintances, spouse, partner, or co-workers or in public domain. 

Sextortion is an online crime that can be understood as, when an bad actor coerces a young person into creating or sharing a sexual image or video of themselves and then uses it to get something from such young person, such as other sexual images, money, or even sexual favours. Reports highlights that more and more kids are being blackmailed in this way. Sextortion can also happen to adults. Sextortion can also take place by taking your pictures from social media account and converting those pictures into sexually explicit content by morphing such images or creating deepfake by miusing deepfake technologies.

Sextortion in the age of AI and advanced technologies:

AI and deep fake technology make sextortion even more dangerous and pernicious. A perpetrator can now produce a high-quality deep fake that convincingly shows a victim engaged in explicit acts — even if the person has not done any such thing. 

Legal Measures available in cases of sextortion:

In India, cybersecurity is governed primarily by the Indian Penal Code (IPC) and the Information Technology Act, 2000 (IT Act). Addressing cyber crimes such as hacking, identity theft, and the publication of obscene material online, sextortion and other cyber crimes. The IT Act covers various aspects of electronic governance and e-commerce, with providing provisions for defining such offences and providing punishment for such offences.

Recently Digital Personal Data Protection Act, 2023 has been enacted by the Indian Government to protect the digital personal data of the Individuals. These laws collectively establish the legal framework for cybersecurity and cybercrime prevention in India. Victims are urged to report the crime to local law enforcement and its cybercrime divisions. Law enforcement will investigate sextortion cases reports and will undertake appropriate legal action.  

How to stay protected from evolving cases of sextortion: Best Practices:

  • Report the Crime to law enforcement agency and social media platform or Internet service provider. 
  • Enable Two-step verification as an extra layer of protection.
  • Keep your laptop Webcams covered when not in use.
  • Stay protected from malware and phishing Attacks.
  • Protect your personal information on your social media account, and also monitor your social media accounts in order to identify any suspicious activity. You can also set and review privacy settings of your social media accounts.

Conclusion:

Sextortion cases has been increased in recent time. Knowing the risk, being aware of rules and regulations, and by following best practices will help in preventing such crime and help you to stay safe and also avoid the chance of being victimized. It is important to spreading awareness about such growing cyber crimes and empowering the people to report it and it is also significant to provide support to victims. Let’s all unite in order to fight against such cyber crimes and also to make life a safer place on the internet or digital space.

References:

Become a part of our vision to make the digital world safe for all!

Numerous avenues exist for individuals to unite with us and our collaborators in fostering  global cyber security

Awareness

Stay Informed: Elevate Your Awareness with Our Latest Events and News Articles Promoting Cyber Peace and Security.

CyberPeace Corps Induction Workshop
The Missing Link Trust to combat online child trafficking
Cyber Safety Carnival
Safer Internet Day 2023
Indian schools and colleges under digital siege: Massive cyber breach crisis exposed
Over 2 lack cyberattacks, 4 lakh data breaches hit Indian educational institutions in 9 months
Lessons in Cybersecurity Required: 2 Lakh Cyberattacks Shake Indian Education Sector in Just Nine Months
2 lakh cyberattacks, 4 lakh data breaches in Indian educational sector in 9 months

Engagement

Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.

Discover ways to collaborate
Request for Proposals

Play your part for CyberPeace

Donate to us directly to help us build more pioneering initiatives.

Donate Now