Cross Site Scripting (XSS)

What is XSS(Cross Site Scripting)

XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

The Use of JavaScript in Cross-Site Scripting

JavaScript is a programming language which runs on web pages inside your browser.

While JavaScript is client side and does not run on the server, it can be used to interact with the server by performing background requests.

Attackers can use these background requests to add unwanted spam content to a web page without refreshing it, gather analytics about the client’s browser, or perform actions asynchronously.

How Do Cross-Site Scripting Attacks Work?

When attackers inject their code into a web page, they can then inject their own script, which is executed by the victim’s browser.

Another popular use of cross-site scripting attacks is when the vulnerability is available on most publicly available pages of a website.

In this case, attackers can inject their code to target the visitors of the website by adding their own ads, phishing prompts, or other malicious content.

Types of XSS attacks

Reflected XSS

In this type of XSS, the malicious script is reflected from the server back to the client. Hence, it is called reflected XSS. It is reflected back in such a way that the HTTP response includes the payload from the HTTP request.

And also Other users cant access it.

Eg: when an attacker`s payload which is sent from a website’s search or contact form and gets executed.

Stored XSS

The term stored indicates that the payload is stored somewhere. In stored XSS, the payload is stored on the server side. Once the payload is present within the application, provided it wasn’t properly escaped then execution of payload leads to Stored xss

Any body can Access it because has its being stored in some DB


When the The objects inside the payloads gets executed (DOM- Document object Model) eg: document.location,url,cookies etc

When an application uses a DOM to store data, the data remains only on the client side and the browser reads and displays the output.

Blind XSS

Blind cross-site scripting attacks occur when an attacker can’t see the result of an attack. The vulnerability commonly lies on a page where only authorized users can access.

Attacker will not come to know if the payload fails, the attacker won’t be notified.

Eg: when a Address input field is vulnerable to XSS, but only from an administrative page restricted to admin users.

Mutated XSS

mXSS may usually occurs in innerHTML and happens due to incorrect reads of innerHTML. The mXSS is an XSS vector that is mutated from safe state to unsafe unfiltered state.

Server- and client-side XSS filters share the assumption that their HTML output and the browser-rendered HTML content are mostly identical.

The user provided content is mutated by the browser, such that a harmless string passes nearly all XSS filters is ultimately transformed into active XSS attack vector by the browser.

If attackers prepares a payloads as per the filtering mechanism enabled and then executes it.

Self Cross-Site Scripting:

Self Cross site scripting(XSS) is a vulnerability in web applications which gives the ability of executing JS as the same user and not to other users. (Attacking or execution of JS for your own session`s)

Mitigations for XSS

Avoid and Restrict HTML in Inputs

Sanitise values and proper data encoding

Use HttpOnly Flag and secure Cookies implementation

Use a WAF and Proper WAF rules to prevent injections

Implement CSP policies

Implement XSS protection Headers

Use appropriate response headers.

In the Next write up will show how to craft payloads as per XSS identification needs.