Types of XSS: Stored XSS, Reflected XSS and DOM-based XSS

Cross-site Scripting attacks (XSS) can be used by attackers to undermine application security in many ways. It is most often used to steal session cookies, which allows the attacker to impersonate the victim. In addition to that, XSS vulnerabilities have been used to create social networks worms, spread malware, deface websites, and phish for credentials. They have also been used in conjunction with social engineering techniques to escalate to more damaging attacks such as private information retrieval.

Cross-site Scripting can be classified into three major categories — Stored XSS, Reflected XSS, and DOM-based XSS.


Stored XSS (Persistent XSS)

The most damaging type of XSS is Stored XSS (Persistent XSS). An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database. For example, an attacker may enter a malicious script into a user input field such as a blog comment field or in a forum post.

When a victim opens the affected web page in a browser, the XSS attack payload is served to the victim’s browser as part of the HTML code (just like a legitimate comment would). This means that victims will end up executing the malicious script once the page is viewed in their browser.

Reflected XSS (Non-persistent XSS)

The second and the most common type of XSS is Reflected XSS (Non-persistent XSS). In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.

Reflected XSS is not a persistent attack, so the attacker needs to deliver the payload to each victim. These attacks are often made using social networks.

DOM-based XSS

DOM-based XSS is an advanced XSS attack. It is possible if the web application’s client-side scripts write data provided by the user to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

A DOM-based XSS attack is often a client-side attack and the malicious payload is never sent to the server. This makes it even more difficult to detect for Web Application Firewalls (WAFs) and security engineers who analyze server logs because they will never even see the attack. DOM objects that are most often manipulated include the URL (document.URL), the anchor part of the URL (location.hash), and the Referrer (document.referrer).

XSS Discovery and Prevention

Cross-site Scripting is a very old technique but XSS vulnerabilities remain one of the most common ones on the web. They are still mentioned by the Open Web Application Security Project (OWASP) as one of the top-10 security risks.

An easy way to test if your website or web application is vulnerable to XSS and other vulnerabilities is to run an automated web scan using the Acunetix vulnerability scanner, which includes a specialized XSS scanner module. Take a demo and find out more about running XSS scans against your website or web application.

You can learn how to prevent XSS attacks in the following article: Preventing XSS Attacks.

Frequently asked questions

Stored (persistent) cross-site scripting (XSS) happens when an attacker injects malicious code into the target application (for example, through a forum post or a comment) and this content is permanently stored (for example, in a database). Later, when victims visit a page with the stored malicious code, their browsers execute this code.

Learn more about stored (persistent) XSS.

Reflected (non-persistent) cross-site scripting (XSS) happens when an attacker uses a malicious link, phishing email, or another social engineering technique to lure the victim into making a request to the server and this request contains malicious code. The victim’s browser then receives a reply with the malicious code and executes it.

Read more about cross-site scripting in general.

DOM-based cross-site scripting (XSS) happens when the web application writes user input to the Document Object Model (DOM), then reads the data from the DOM and executes it in the browser. It often happens that the malicious code is not sent to the server, which makes it difficult to detect by web application firewalls (WAFs) and security engineers who analyze server logs.

Learn more about DOM-based cross-site scripting.

The best way to discover cross-site scripting is by using a professional web vulnerability scanner based on an advanced crawling and scanning engine. Acunetix is the industry leader in discovering XSS, including the difficult-to-detect DOM-based XSS.

See what Acunetix Premium can do for you.