Cross-site scripting is one of the most popular web application attacks which arrives when user input is not sanitized and web application executes the script sent by the user. when a malicious user sent a script to the web application and successfully execute it, then it's called cross-site scripting or XSS attack. It's good to have knowledge about Html and Javascript to learn XSS attack, with these you can learn Xss but you will find it difficult to create own XSS payload to bypass filters.

Types Of XSS Attack

  • Reflected XSS
  • Stored XSS
  • Dom Based XSS

  1. Reflected XSS
Reflected cross-site scripting also known as non-persistence XSS is a type of XSS when user script is executed on the client browser side instead of server-side. What that means? When application reflects the HTTP request data in the HTTP response then there is a possibility of an XSS attack. If an application does this and a malicious user sent a javascript code in the HTTP request and application reflect it in HTTP response then code will be executed.
let's take an example to look at how it actually work in a practical way.

First, look at this without HTTP request and response just by a normal browser.


  • Open this site http://testphp.vulnweb.com/ it's a vulnerable website for practice.
  • Click on the search bar in the site and search anything like hacker.
  • and the page refresh you will see that hacker in reflected in this site
















you can see in the image above my search for hacker is reflected as  Searched For hacker. That mean there is a chance of reflected XSS attack.Now again click on search and type 
<script>alert(1)</script>
and you will get a pop saying 1.

How this happen? Because as you get to know with your search query hacker that your input is reflecting back and second time instead of a normal text you searched with a basic javascript code and it again reflected back but as a javascript code, not a string or normal text. 

If you have knowledge about javascript you would know what this codeis but if you don't then its a simple script code with script tag open/close and alert which will show an alert message with the message you entered in this case message is 1. 

As this is a full series on XSS I will try to explain it with different example in the next article, till that try to find XSS in your local vulnerable machine. you can check out another article on the vulnerable machine for hacking practice.

You can join our telegram channel for the latest update. You can follow us on Twitter and Instagram.
Share it If you like it