May 13, 2026
Cross-Site Scripting(XSS- A Web Application Vulnerability)
Cross-Site Scripting (XSS) is a web security vulnerability that occurs when a trusted website allows users to input malicious scripts…
swostika poudel
2 min read
Cross-Site Scripting (XSS) is a web security vulnerability that occurs when a trusted website allows users to input malicious scripts. Because the browser views the script as legitimate, it executes it in the victim's browser. Attackers use XSS to steal cookies, hijack user sessions, or redirect users to phishing sites.
How XSS Works:
An XSS attack usually follows this sequence:
- The Flaw: A web application takes user input and includes it in a webpage without properly validating or encoding it.
- The Injection: An attacker injects a malicious script (usually in JavaScript) into the site.
- The Execution: When unsuspecting users view the page, their browser runs the malicious script, trusting it comes from the website
Common Types of XSS
- Stored XSS (persistent XSS) : The malicious script is permanently saved on the target application's server (e.g., in a database or a comment section,forum post) and executes every time a user visits the affected page. In other words, When other users load the affected page, the script is automatically executed in their browsers.
- Example:
A user submits a comment containing
<script>alert('XSS')</script>and it gets saved. Every visitor sees and executes it.
Impact:
- Affects multiple users
- Can steal session cookies, credentials, or perform actions on behalf of users
- Very simple example (basic reflected XSS):
Another example,Suppose a site does:
Hello, <b> USER_INPUT </b>
- You type:
vedika→ page shows:Hello, vedika(safe). - You type:
<script>alert(1)</script>→ if not filtered, browser will execute this and show a popup.
Reflected XSS(Non-persistent): This happens when input is immediately returned by the server in the response.
- The malicious script is not stored; it is reflected in the response.
- Usually delivered via a crafted URL.
- example: https://example.com/search?q=
- If the site displays
qwithout sanitization, the script executes.
DOM-Based XSS: The vulnerability exists in the client-side code rather than the server-side code, allowing the attacker to alter the webpage via Document Object Model (DOM) manipulation. The vulnerability exists in JavaScript code, not the server.
- The script modifies the DOM using unsafe input (e.g.,
document.location,innerHTML)
Example: document.getElementById("output").innerHTML =location.hash;
document.getElementById("output"): Finds the specific HTML element on the page that hasid="output"(like<div id="output"></div>).location.hash: Gets the part of the current page URL that contains the anchor/fragment (e.g., if your URL is://example.com, it returns"#welcome")..innerHTML: Replaces the HTML content inside the target element with the hash valueinnerHTMLrenders whatever text is passed to it as raw HTML, it leaves the website vulnerable to Cross-Site Scripting (XSS).If an attacker tricks a user into clicking a link with malicious JavaScript in the hash (e.g.,#<script>alert('account')</script>), the browser will execute the malicious script
Impact:
- No server interaction required
- Harder to detect with traditional server-side defenses.
**Get vs Post in XSS :**In XSS and web applications, GET and POST are HTTP methods used to send data between the browser and the server. They are not XSS types themselves, but XSS attacks can happen through both.
1.GET Method: Data(payload) is sent via URL.
eg: https://site.com/search?q=hello
Here:
q=hellois parameter data- It is visible in the URL
GET-based XSS Example
Vulnerable code: https://site.com/search?q=
If the website reflects the input directly, the script executes.
This is commonly related to Reflected XSS.
- POST Method: Data is sent secretly in the HTTP body, not in the URL.(it is a stored xss example)
eg: