tcnj logo

Detecting Cross-Site Scripting Attacks

Cross-site scripting or XSS is a specially crafted URL that includes attack code that will cause information that a user enters into their web browser to be sent to the attacker. 

In an identity theft based attack, an attacker will find a web server that is vulnerable to XSS and send a legitimate looking URL with XSS attack code appended to the end of the URL.  The malicious URL is often sent in a phishing email message.

The best defense is to log everything on your web servers and use resources such as the Cross Site Scripting cheat sheet for testing and detection methods (

Nothing replaces due diligence and frequent log scouring, however.  So what do you look for?  Anything out of the ordinary.   How do you know what is ordinary?  By checking your logs frequently.

Here is one sample web access log entry that is a sign of an XSS attack. – - [05/Aug/2009:15:16:42 -0400] “GET /%27%27;!–%22%3CXSS%3E=&{()
} HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:
Gecko/2009070812 Ubuntu/8.04 (hardy) Firefox/3.0.12″

The part to look for is the GET /%27%27 command (there are several variants).

reference: and blog


it home photo

Information Technology

Green Hall

The College of New Jersey

2000 Pennington Road

P. O. Box 7718

Ewing, NJ 08628

Staff Directory

Support Specialists