Cross-Site Scripting (XSS) Types & Prevention: The Complete Cheat Sheet

Introduction to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a critical web security vulnerability that allows attackers to inject malicious client-side scripts into websites viewed by other users. These attacks bypass the Same-Origin Policy, allowing attackers to steal sensitive information, hijack user sessions, redirect users to malicious websites, or perform actions on behalf of the victim. XSS remains one of the most common web application security risks on the OWASP Top 10 list.

Core Concepts: XSS Attack Types

Reflected XSS

Description: Non-persistent attack where malicious script is reflected off a web server through a request
Delivery: URL parameters, form submissions, HTTP headers
Persistence: One-time execution when user clicks malicious link or submits form
Impact: Session theft, credential harvesting, phishing

Stored XSS

Description: Persistent attack where malicious script is stored on the target server
Delivery: Comments, user profiles, messages, form fields
Persistence: Executes every time users access the affected page
Impact: Affects all visitors to the compromised page

DOM-based XSS

Description: Occurs entirely in the browser when JavaScript modifies the DOM insecurely
Delivery: Fragment identifiers (#), HTML5 History API, client-side template injection
Execution: Client-side JavaScript execution flow
Impact: Similar to other XSS types but more difficult to detect server-side

Blind XSS

Description: Special case of stored XSS where attacker cannot see the immediate outcome
Targets: Admin panels, logs, CRM systems
Detection: Requires callbacks to attacker-controlled server
Impact: High severity due to admin/internal system access

XSS Attack Process

Vulnerability Identification: Attacker identifies input fields or parameters that aren’t properly sanitized
Payload Creation: Crafting malicious JavaScript code based on the vulnerability
Delivery Method Selection: Choosing between direct attacks (stored), social engineering (reflected), or client-side manipulation (DOM-based)
Execution Trigger: Victim loads affected page or clicks malicious link
Payload Execution: Browser executes injected script in victim’s context
Data Exfiltration/Action: Script performs malicious actions (cookie theft, keylogging, etc.)

XSS Prevention Techniques

Input Validation & Sanitization

Validate input against whitelist of allowed characters/patterns
Reject invalid input rather than attempting to fix it
Use language-specific sanitization libraries
Implement input length restrictions
Validate both client-side (usability) and server-side (security)

Output Encoding

HTML entity encoding for HTML contexts
JavaScript string encoding for JS contexts
URL encoding for URL parameters
CSS hex encoding for style properties
Apply context-specific encoding at the point of output

Content Security Policy (CSP)

Restrict script sources with script-src directive
Disable inline scripts with 'unsafe-inline' restriction
Implement nonce-based or hash-based CSP
Set report-uri for violation reporting
Use strict-dynamic for complex applications

Response Headers

X-XSS-Protection: 1; mode=block (for legacy browsers)
Content-Type with charset specification
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie with HttpOnly and Secure flags

Framework-Specific Defenses

Use template escape mechanisms (React’s JSX, Angular’s interpolation)
Leverage built-in XSS protections in modern frameworks
Avoid dangerous functions (eval(), innerHTML, document.write())
Use safer alternatives (textContent instead of innerHTML)
Enable security-focused linting tools

Comparison of XSS Types

Characteristic	Reflected XSS	Stored XSS	DOM-based XSS
Persistence	Non-persistent	Persistent	Typically non-persistent
Server Storage	No	Yes	No
Attack Vector	URL parameters, forms	Stored content (comments, posts)	Client-side DOM manipulation
Detection Difficulty	Easy-Medium	Medium	Hard
Server Visibility	Visible in request/response	Visible in stored data	Often invisible to server
Impact Scope	Individual victims	All users viewing affected page	Users with vulnerable browser/DOM
Prevention Focus	Input validation, output encoding	Input sanitization, storage security	Client-side validation, safe DOM APIs

Common XSS Challenges and Solutions

Challenge: Framework Bypasses

Solution: Stay updated on framework-specific XSS bypasses and apply security patches promptly

Challenge: Complex HTML Contexts

Solution: Use context-aware encoding libraries like DOMPurify or OWASP ESAPI

Challenge: Legacy Browser Support

Solution: Implement defense-in-depth with multiple protection layers

Challenge: Third-Party Scripts

Solution: Use Subresource Integrity (SRI) and strict CSP rules

Challenge: User-Generated Rich Content

Solution: Implement HTML sanitization libraries and restrict allowed HTML elements/attributes

Best Practices for XSS Prevention

Defense in Depth: Implement multiple layers of XSS protection
Context-Awareness: Apply encoding specific to the output context
Security Headers: Implement all relevant security headers
Principle of Least Privilege: Limit JavaScript capabilities with CSP
Input Handling: Treat all user input as untrusted
Regular Testing: Conduct security assessments and penetration testing
Security Code Reviews: Perform focused code reviews for XSS vulnerabilities
Automated Scanning: Integrate SAST and DAST tools in development pipeline
Framework Usage: Leverage modern frameworks with built-in XSS protections
Stay Updated: Follow security advisories for used technologies

XSS Testing Techniques

Basic Payload Testing

Simple alert: <script>alert(1)</script>
Event handlers: <img src="x" onerror="alert(1)">
JavaScript URI: <a href="javascript:alert(1)">Click me</a>

Bypass Techniques

Case variation: <ScRiPt>alert(1)</sCrIpT>
Encoding: <img src="x" onerror="alert(1)">
Alternative attributes: <div onmouseover="alert(1)">Hover me</div>
No quotes: <img src=x onerror=alert(1)>
Template injection: ${alert(1)}

Automated Testing Tools

OWASP ZAP
Burp Suite Pro
XSS Hunter
Acunetix
Netsparker

Cross-Site Scripting (XSS) Types & Prevention: The Complete Cheat Sheet

Introduction to Cross-Site Scripting (XSS)

Core Concepts: XSS Attack Types

Reflected XSS

Stored XSS

DOM-based XSS

Blind XSS

XSS Attack Process

XSS Prevention Techniques

Input Validation & Sanitization

Output Encoding

Content Security Policy (CSP)

Response Headers

Framework-Specific Defenses

Comparison of XSS Types

Common XSS Challenges and Solutions

Challenge: Framework Bypasses

Challenge: Complex HTML Contexts

Challenge: Legacy Browser Support

Challenge: Third-Party Scripts

Challenge: User-Generated Rich Content

Best Practices for XSS Prevention

XSS Testing Techniques

Basic Payload Testing

Bypass Techniques

Automated Testing Tools

Resources for Further Learning

Documentation

Tools

Training

Cross-Site Scripting (XSS) Types & Prevention: The Complete Cheat Sheet

Introduction to Cross-Site Scripting (XSS)

Core Concepts: XSS Attack Types

Reflected XSS

Stored XSS

DOM-based XSS

Blind XSS

XSS Attack Process

XSS Prevention Techniques

Input Validation & Sanitization

Output Encoding

Content Security Policy (CSP)

Response Headers

Framework-Specific Defenses

Comparison of XSS Types

Common XSS Challenges and Solutions

Challenge: Framework Bypasses

Challenge: Complex HTML Contexts

Challenge: Legacy Browser Support

Challenge: Third-Party Scripts

Challenge: User-Generated Rich Content

Best Practices for XSS Prevention

XSS Testing Techniques

Basic Payload Testing

Bypass Techniques

Automated Testing Tools

Resources for Further Learning

Documentation

Tools

Training

Related Posts