Cross-site Scripting can be classified into four major categories – Stored XSS, Reflected XSS, DOM-based XSS and Blind XSS. In all cases with XSS, the goal of an attacker is to get a victim to inadvertently execute a maliciously injected script. The malicious script is often referred to as a malicious payload, or simply a payload.
Stored (Persistent) XSS attacks involve an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database, in a comment field or in a forum post).
Reflected XSS attacks involve an attacker in luring in a victim to inadvertently make an HTTP request containing an XSS payload to a web server, usually achieved through phishing or other social engineering attacks. Once sent to the web server, the payload is then reflected back in such a way that the HTTP response includes the payload from the HTTP request.
When a web application is vulnerable to XSS, it will load the attacker-supplied content from a source that the application implicitly trusts, without properly encoding it.
With stored and blind XSS, implicitly-trusted data is loaded from a datastore (such as a database or cache); with reflected XSS, the implicitly-trusted data is loaded from the HTTP request; and with a DOM-based XSS, implicitly-trusted data is loaded from a DOM-XSS source within the browser’s DOM.
While that is good news, the fact that XSS at 33% of sampled targets being vulnerable to XSS, there is clearly still a lot of wiggle room for attackers to abuse XSS.
This post contained excerpts from the 2016 Acunetix Web Application Vulnerability Report. For more stats and coverage on web application vulnerabilities in 2016, download the report for free.