Cross-site scripting XSS


The more of these documents that I have made I have realized that there is a pretty big difference between what you learn from PortSwigger and OWASP. I find that OWASP provides good foundational documentation of the vulnerabilities whereas PortSwigger shows you the practical side of the vulnerabilities. To start I am going to be looking at the threat agents and attack vectors as well as the impacts.

“Threat Agents/Attack Vectors: Automated tools can detect and exploit all three forms of XSS, and there are freely available exploitation frameworks.”

“Impacts: The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering malware to the victim.”

Now that we have a good base understanding we will look at how to tell if an application is vulnerable.

  • Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. Typically the user will need to interact with some malicious link that points to an attacker-controlled page, such as malicious watering hole websites, advertisements, or similar.
  • Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.
  • DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs.


How does XSS work?

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim’s browser, the attacker can fully compromise their interaction with the application.

Types of XSS

  • Reflected XSS, where the malicious script comes from the current HTTP request.
  • Stored XSS, where the malicious script comes from the website’s database.
  • DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.