Types of Cross-Site Scripting XSS Attacks

by Tashina

Cross-Site Scripting or an XSS attack is a way in which the attacker can potentially steal session cookies and impersonating their victim and gain access to their information. Not only this, but XSS attacks can also result in malware, network worms, and defacement of the website. Attackers sometimes also use cross-site scripting and social engineering side by side which can incur further damage.

There are three categories of XSS attacks:

Stored XSS

Stored XSS or persistent XSS is one of the most serious. Attackers inject JavaScript content into the system of their victim. To worsen the issue, if the system does not have an input validation check then the attacker’s code will permanently reside within the application. When the victim opens this malicious webpage or application, they will end up running it in their software. XSS payload serves the victim just like a regular HTML code would do. Thus, they are unaware of their functionality.

Reflected XSS

Reflected XSS or non-persistent XSS is the most common form of XSS attacks. As the name suggests, this cross-site scripting attack works through the mechanism of reflection. Unlike stored XSS, non-persistent XSS works by sending the attacker’s payload in the web server request. Afterwards, the HTTP response is reflected in such a way that it carries an image of the HTTP request protocol. Social engineering techniques come in handy here as they help to lure the victim into requesting the server. Sometimes attackers also use phishing emails or malicious links to lure the victim. As it is a non-persistent attack so the attacker sends a separate payload to each victim.


An advanced form of XSS attack is the DOM (Document Object Model) based XSS. This attack is held on those servers which use DOM to store data provided by the users. This data is frequently read and fed to the browser. However, the incorrect handling of data can result in the injection of the payload. Thus, the payload resides in the DOM and executes every time data is read from the latter.

If you would like to ensure your website is free from the most common vulnerabilities you can get a web application penetration testing quote from Aardwolf Security today.

You may also like