A Quick Overview of XSS – The Many Varieties of XSS

XSS is a weakness inherent in the single-origin policy. The single-origin policy is a security mechanism that's been adopted by every modern browser and only allows pages to load from the same domain as the page doing the loading. But there are exceptions to allow for pages to load third-party assets – most web pages load external JavaScript, CSS, or images – and this is the vector through which XSS occurs.

When a browser is loading the src attribute on an HTML tag, it's executing the code that attribute is pointing to. It doesn't have to be a file – it can just be code included in the attribute string. And it's not just the src attribute that can execute JavaScript.

The following is an example of an XSS testing snippet. It uses the onmouseover attribute to execute a JavaScript alert() as a classic XSS canary:

<a onmouseover="alert(document.location)" href="#">snippet text</a>

document.location is included as a way of easily referencing the exact URL where the XSS is occurring.

The snippet we just referenced is an example of stored or persistent XSS because the <a> tag with malicious JavaScript would be inserted via a form input as part of a comment or general text field, and then stored in the web app's database, where it could be retrieved and viewed by other users looking at that page. Then, when someone hovered over that element, its onmouseover event would trigger the execution of the malicious XSS code.

Reflected XSS is when the injected script is reflected off of the target server through a page of search results, an error message, or an other message made up in part by the user's input. Reflected XSS can be very damaging because it leverages the trust of the server the code is being reflected from.

There's also DOM-based XSS, a more specialized type of the attack that relies on a user being supplied a hacker-generated link containing an XSS payload, which will prompt the user's browser to open the link, echoing back the payload as it constructs the DOM, and executes the code.

Although stored/persistent XSS, reflected XSS, and DOM-based XSS are all possible groupings of XSS varieties, another way of thinking about the different types of XSS is dividing the bug into client XSS and server XSS. In this framework, there are both stored and reflected types for both the client and server variations: Server XSS occurs when unverified user data is supplied by the server, either through a request (reflected XSS) or stored locations (stored XSS), while client XSS is just the execution of unverified code in the client, from the same locations.

We'll cover a mix of techniques for detecting XSS, some of which will apply only to specific types, others to a wider variety of attacks.