Last updated at Wed, 15 May 2019 14:56:09 GMT

In December, I wrote about the most recent DFP XSS vulnerability and the files that many publishers were, and are still hosting on their sites today. This post will go into detail about how this type of attack, called a reflected XSS attack, can affect your users. Reflected XSS attacks are possible when an attacker can inject JavaScript code into your web site.

This attack begins when a site owner places an HTML or JavaScript file on their site that sets up digital advertising. Let’s take the following example from one of the DFP files that Google asks publishers to host:

<script language="JavaScript"> var query =; var adUrl = query.substring(5, query.length); var clickthru; var failclickthru; document.write('<s'+'cript language="JavaScript" src="'); document.write(adUrl+'"></s'+'cript>');</script>

This code searches for a query parameter in a URL. If your site is, you can submit a query like, and use the JavaScript in to show the advertisement – or perform other malicious activities.

The problem is the fact that anyone can force your users to execute arbitrary JavaScript by simply adding to the URL as a parameter to steal your user’s private information, listen to their session, and more. Anything that the browser sees can be hijacked by an attacker, including login information and any user actions such as passwords or credit card information.

Because DFP is one of the most common ways to monetize content, it’s not a surprise that the DFP XSS vulnerability is commonly found in the wild. My research indicates that about 2-3% of the Alexa top 5,000 sites continue to host the vulnerability. At tCell, we have identified and notified hundreds of companies of their vulnerability, some of whom have since taken steps to remove the files and protect their users. As an alternative to removing files, you can protect advertising code with tCell’s XSS protection, implemented both in the HTTP protocol and with an agent running directly in the browser.