Cross-Site Scripting (XSS) is a type of security vulnerability commonly found in web

applications. It occurs when an attacker is able to inject malicious scripts into web pages viewed
by other users. These scripts can then be executed in the context of the victim's browser,
potentially leading to various harmful outcomes, such as:

1. Data Theft: The attacker can steal sensitive information such as cookies, session tokens,
or other data from the user.
2. Session Hijacking: The attacker can hijack a user's session and impersonate them on the
website.
3. Defacement: The attacker can modify the content of a web page to display unwanted or
malicious content.
4. Phishing: The attacker can create fake forms or prompts to trick users into entering their
credentials or other sensitive information.

Some common techniques used by attackers to carry out XSS attacks:

1. Stored XSS (Persistent)

In a stored XSS attack, the malicious script is stored on the web server, usually within a
database, and gets executed when the content is retrieved and viewed by other users.

Technique:

 The attacker inputs a malicious script in a form field (e.g., comment box, profile section),
which is saved in the database.

<script>alert('XSS Attack');</script>

2. Reflected XSS (Non-Persistent)

In reflected XSS, the malicious script is not stored permanently but is reflected off the web
server, often via query parameters or form inputs.

Technique:

 The attacker crafts a URL with a malicious script embedded in the query string.

https://example.com/search?q=%3Cscript%3Ealert(%27XSS%27);%3C/script%3E

3. DOM-based XSS

DOM-based XSS occurs when the vulnerability lies in the client-side code (JavaScript). In this
case, the malicious script directly manipulates the DOM in the browser.
Technique:

 The attacker uses JavaScript functions like innerHTML, document.write(), or eval()

that can process untrusted user input and insert it into the DOM.

<script>

var userInput = location.hash;

document.getElementById("content").innerHTML = userInput;

</script>

https://example.com#<script>alert('XSS');</script>

4. Event Handlers Injection

Attackers can inject JavaScript into HTML event handlers, such as onclick, onmouseover, or
onload.

Technique:

 The attacker includes a script within an attribute that triggers an event handler.

<img src="image.jpg" onerror="alert('XSS Attack');" />

This causes the script to execute when the image fails to load.

5. Script Tag Injection

Attackers can directly inject <script> tags into a vulnerable website’s input fields.

Technique:

 The attacker submits a <script> tag within a form or URL.

<script>alert('XSS');</script>
6. Iframe Injection

Attackers can inject malicious iframes to display phishing pages or capture user interactions.

Technique:

 Injecting an <iframe> that loads malicious content.

<iframe src="https://malicious-site.com" width="0" height="0"></iframe>