Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags


What are the different types of XSS attacks?

Omer Kamran


Cross-site scripting (XSS) attacks refer to the process of abusing the Same Origin Policy to inject malicious code into the client machine without the client suspecting anything.

Types of XSS

There are three types of XSS attacks:

  • Reflected XSS attacks
  • Stored XSS attacks
  • DOM-based XSS attacks

Let’s discuss them in detail.

Reflected XSS

Information that the user might enter on a webpage is used in an HTML request to get a response from the application’s backend. If the input is not escapedEscaping is used when special characters that may also have functionalities, in the language being used for the application, are inserted into user text. This is done to avoid confusing the compiler between the user input and the actual code. correctly, the user may input code instead of regular input, and the browser, while using that information, may end up executing malicious code instead.

We can take the example of a simple website that requests user input, displays search results, and echoes the term on the next page.

The URL below is an example URL, not an actual one.

In the URL above, the user inputs educative, and it is echoed on the next page.

The code below executes to display the headline, before returning the search results as follows:

const Message = () => {
    let text = "<h1>You searched for: \"" + input + "\"</h1>";

    return (
        <div> dangerouslySetInnerHTML={{__html: text}} />
        // React escapes HTML code automatically
        // while rendering the page. However, the 
        // function above is used for purposely
        // not escaping inner HTML.


  • Line 2: This contains the harmful piece of code that can result in an XSS attack.
  • Line 5: This contains a function that has been provided by React, which does not escape text on purpose.

Here, the user may input some malicious code since the input is not being sanitized. The user can use the following input as the searched term:

<script>alert("haha! you've been pwned!")</script>

The following URL can be created with the input above, and is capable of executing the code injected inside the URL for whoever clicks on it.<script>alert("haha! you've been pwned!")</script>

Stored XSS

As the name suggests, this type of XSS is aimed at storing the malicious code in a datastore. This way, whenever the stored data is fetched, it can trigger malicious activity for the person requesting the data. Below, we have an illustration that demonstrates the stored XSS attack:

1 of 4

The attacker will enter malicious code where the application requests user input and the application will store the code in a datastore. Whenever a new user fetches the code containing the injected script from the datastore, their application will end up executing the malicious code.

DOM-based XSS

Discovered in 2005, this kind of XSS attack is also known as type-0 XSS. Applications vulnerable to this kind of attack can directly have their DOM modified. It is neither stored nor reflected. The application is injected with the malicious code without requests hitting the server or the datastore.

This kind of attack came into being when developers started keeping more functionalities on the user side in order to minimize the application-server interaction due to browser vulnerabilities. This required the URI to track user activity in the application.

The attacker can alter the URI and modify the DOM, provided that the URI is being used as raw HTML in the code.

  let page = window.location.hash;



  • Line 3: The window.location.hash is a DOM property that returns or sets the anchor part of the URL. For example, if our location is\answers#2, then window.location is set to #2. Modifying this to the desired malicious script can result in a DOM-based XSS attack.
  • Line 5: This function performs a specific set task, depending upon what the page number is, when we call it.
  • Line 7: We use this method in jQuery to set the inner HTML for the first matched query given inside the parenthesis. For the element with the ID #page-no, the .html(page) method sets the element to whatever the value of page is.



View all Courses

Keep Exploring