XSS

Cross Site Scripting

Inject HTML Code or run Javascript code in the user’s web browser (client side)

Types Of Cross-Site Scripting

  1. Stored (Persistent) XSS: This variant stands as the most critical form of XSS, emerging when user input is stored within the backend database and subsequently presented upon reflection. Common instances include user-generated content such as posts or comments, where malicious scripts injected by attackers persistently affect subsequent visitors. For ex, when you leave a comment in a blog, that’s saved(Stored) in the website and might have store XSS
  2. Reflected (Non-Persistent) XSS: In this scenario, user input undergoes processing by the backend server before being displayed on the page, albeit without being permanently stored. Examples include search results or error messages where crafted input triggers the execution of malicious scripts within the context of the response. Where a common variable in the website is being reflected back to you as the user.
  3. DOM-based XSS: Representing another form of Non-Persistent XSS, this type occurs exclusively on the client-side, without involving communication with the backend server. User input is directly incorporated into the Document Object Model (DOM) and executed within the browser environment. Common vectors include client-side HTTP parameters or anchor tags that facilitate the injection and execution of malicious scripts. Might be since the result is back to the front page (user page and the server has nothing to do with it so its not reflected or stored, but DOM XSS)
  4. UXSS: It is not typically a web application flaw at all, but rather is a method of injecting JavaScript by means of exploiting a separate tool.
  5. Self-XSS: This attack involves scammers tricking their unsuspecting victims into copying or typing commands into the address bar that lead to adversary-controlled JavaScript execution.

Document Object Model (DOM)

Reflected XSS – Non-Persistent

Stored XSS

DOM Based XSS