Beginners Guide to Cross Site Scripting (XSS)


JavaScript is the programming language of the web. It’s one of the most popular and in-demand skills in today’s job market for good reason. JavaScript enables you to add powerful interactions to websites

A Scripting Language understood by the browser.

JS is embedded in HTML Pages

The Browser RUNS the js instead of displaying it

Event Handler

When JavaScript is used in HTML pages, JavaScript can “react” on these events.

When the page loads, it is called an event. When the user clicks a button, that clicks to is an event. Other examples include events like pressing any key, closing a window, resizing a window, etc.


 Basically, javascript uses the onload function to load an object on any web page. For example, I want to generate an alert for user those who visit my website; I will give the following JavaScript code.

 <body onload=alert(‘Welcome to Hacking Articles’)>

 So whenever the body tag loads, an alert will pop up with the following text Welcome to Hacking Articles for the visitors. Here the loading of the body tag is an event or a happening and onload is an event handler which decides what will action will happen on that event.

Similarly, there are many JavaScript event handlers which define what event occurs for such type of action like scroll down of the page, or when an image fails to load etc.


Onmouseover, when the user moves his cursor over the text, the additional code will be executed. For example, let understand the following code:

<a onmouseover=alert(“50% discount”)>surprise</a>

Now when the user moves his cursor over the surprise the displayed text on the page, an alert box will pop up with 50% discount.

onclick: Use this to invoke JavaScript upon clicking (a link, or form boxes)
onload: Use this to invoke JavaScript after the page or an image has finished loading
onmouseover Use this to invoke JavaScript if the mouse passes by some link
onmouseout Use this to invoke JavaScript if the mouse goes pass some link
onunload Use this to invoke JavaScript right after someone leaves this page.

Cross Site Scripting (XSS)

XSS is listed as top third web application security risk in the OWASP to top 10 risk model 2017.

Cross-site scripting (XSS) is a flaw in a web application that allows an attacker to execute malicious JavaScript through a code injection attack in another victim’s browser.

In this attack user is not directly targeted through a payload, although attacker shoot the XSS vulnerability by inserting malicious script into a web page that appears to be a genuine part of the website to the users, whenever any user visit that website it will automatically send the malicious JavaScript code in his browser without his knowledge.

Let’s take an example that following code is XSS vulnerable, an attacker may possibly present a history that holds a malicious payload such as <script>alert(HACK);</script>

Print “<html>”

Print “<h1>Recent History</h1>”

Print request.Recent History print “</html>

Users visiting the web page will get the following HTML page without his knowledge.


<h1> Recent History </h1>

<script>alert (HACK);</script>


Types of XSS:

 There are actually three types of Cross-Site Scripting, commonly named as:

  • Persistent XSS
  • Non-persistent XSS
  • DOM-Based XSS


A persistent XSS also was known as stored XSS because through this vulnerability the injected malicious script get permanently stored inside the web server and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected JavaScript will get executed by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for the administrator or another user.

Persistent XSS is considered more dangerous because the malicious payload is stored inside the web server as the more visitors will interact with the website will result in more XSS infected user. The attack does not require the phishing technique to target its users.


An example of a web application vulnerable to stored XSS as shown in the screenshot.

This JavaScript gets stored in the database of the web application and gets executed on the victim’s browser, which captures the cookie and sends it to the attacker     

Read complete article from here


The non-persistent XSS is also known as reflected XSS occurs when the web application responds immediately on user’s input without validating the inputs this lead an attacker to inject browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

The most common applying of this kind of vulnerability is in Search engines in the website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.


An example of a web application vulnerable to reflected XSS as shown in the screenshot.

It is also known as type 1 because this attack is carried out through a single request/response then gets executed on the victim’s browser, and will prompt an alert “hellllooo” to his browser.

Read complete article from here


The Document Object Model (DOM) is an API that increases the skill of programmers or developers to produce and change HTML and XML documents as programming objects.

The JavaScript language is used in DOM, which is also used for other websites. Through JavaScript it allows the programmer to make the dynamic changes in HTML document can be accessed, modify, deleted, or added using the DOM.

When an HTML document is loaded into a web browser, it becomes a document object.

The document object is the root node of the HTML document and the “owner” of all other nodes

The HTML DOM model is constructed as a tree of Objects

With the object model, JavaScript gets all the power it needs to create dynamic HTML:

  • JavaScript can change all the HTML elements in the page
  • JavaScript can change all the HTML attributes in the page
  • JavaScript can change all the CSS styles in the page
  • JavaScript can remove existing HTML elements and attributes
  • JavaScript can add new HTML elements and attributes
  • JavaScript can react to all existing HTML events in the page
  • JavaScript can create new HTML events on the page

The DOM-Based Cross-Site Scripting is vulnerability which appears in a document object model instead of the html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.

The DOM-Based XSS exploits these problems on the user’s local machines in this way:

– The attacker creates a well-built malicious website
– The ingenious user opens that sites
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page executes that commands with the user’s privileges on that machine.
– The attacker easily gains control of the victim computer.


The following screenshot is an example of a web application server that is affected with DOM-based XSS attack. The web application let you choose the following language and will execute through URL.

The attacker will add malicious script inside URL

 The major difference between DOM XSS and Reflected or Stored XSS flaw is that it cannot be stopped by server-side filters because anything written after the “#” (hash) will never forward to the server.



Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

1 Comment Beginners Guide to Cross Site Scripting (XSS)

Leave a Reply

Your email address will not be published. Required fields are marked *