8. Introduction to Cross Site Scripting (XSS)

Definition

Cross site scripting lets us execute javascript in a victims browser and gives us control over that application for that user.

NOTE: Even though XSS should be a domain of the past due to a lot of new tools implementing automated protection against these types of attacks, unfortunately XSS can be found in them still.

IMPORTANT - Try to understand as good as possible the differences between the different types of XSS as this is a very popular question for interviews in cybersecurity!

There are three types of XSS:

Reflected XSS

![[Pasted image 20231105235050.png]]

Reflected XSS is a type of XSS through which we send a JS script through a request to a server and then we get the script back through the response.

You can only target yourself with it.

Stored XSS

![[Pasted image 20250107110538.png]]

DOM-based XSS

![[Pasted image 20250107110723.png]]

NOTE:

It is better instead of alert() for XSS to use print() or rather prompt() functions as depending on the browser and especially in Google Chrome, restrictions and filtering might no make the alert() function show up.

Also try to research: https://portswigger.net/research/alert-is-dead-long-live-print for a more in-depth explanation as this will help figure out what's the new META.

![[Pasted image 20250107111907.png]]

Previous7. Second Order SQLi Next9. XSS LABS

hashtagThere are three types of XSS:

hashtagReflected XSS

hashtagStored XSS

hashtagDOM-based XSS

There are three types of XSS:

Reflected XSS

Stored XSS

DOM-based XSS