What Is XSS (Cross-Site Scripting)? Types Examples and How to Fix It

Cross-Site Scripting (XSS) is an injection vulnerability where an attacker injects malicious client-side scripts into web pages viewed by other users. When a browser renders the compromised page, it executes the attacker's script with the same privileges as the legitimate application code.

Classified as OWASP A03:2021 – Injection and mapped to CWE-79, XSS is one of the most common web application vulnerabilities. Unlike SQL injection which targets the database, XSS targets the end user's browser—stealing sessions, redirecting to phishing sites, or modifying page content.

The impact of a successful XSS attack includes session hijacking via stolen cookies, credential theft through injected fake login forms, keylogging, defacement, and malware distribution to site visitors.

Reflected XSS

The malicious script is part of the HTTP request (typically a URL parameter) and reflected back in the server's response without sanitization. The attacker crafts a link containing the payload and tricks the victim into clicking it.

Stored XSS

The attacker's script is permanently stored on the target server—in a database, comment field, or user profile. Every user who views the affected page executes the malicious script automatically. Stored XSS is more dangerous because it does not require per-victim delivery.

DOM-Based XSS

The vulnerability exists entirely in client-side JavaScript. The page's own scripts read data from an attacker-controllable source (like location.hash or URL parameters) and write it to a dangerous sink:

// Vulnerable: reads from URL, writes to innerHTML
const userInput = window.location.hash.substring(1);
document.getElementById('output').innerHTML = userInput;

DOM-based XSS is particularly dangerous because the payload never reaches the server, bypassing server-side protections and WAFs.

• British Airways (2018): Attackers injected a script into the payment page, capturing credit card details of 380,000 customers. The ICO fined BA £20 million.
• eBay (2015-2016): Stored XSS in auction listings redirected users to phishing pages, compromising seller and buyer accounts.
• Fortnite (2019): A reflected XSS on an old Epic Games page could have been chained with SSO to take over player accounts.
• MySpace Samy Worm (2005): The first major XSS worm spread through stored XSS in profiles, affecting over 1 million accounts in 20 hours.

CodeSlick identifies XSS vulnerabilities across JavaScript, TypeScript, React, and Python with checks covering all three XSS types:

• DOM-based XSS: Flags innerHTML, outerHTML, and document.write() when they accept dynamic input (template literals, concatenation, variable assignment). Static strings and sanitized input (e.g., DOMPurify) are excluded.
• React XSS bypasses: Detects dangerouslySetInnerHTML with unsanitized data and unsafe href attributes that could contain javascript: protocol payloads.
• Python framework bypasses: Catches Django's mark_safe() and Flask's Markup() with user-controlled input, including f-strings and concatenation.
• Security header gaps: Flags missing Content-Security-Policy headers and cookie configurations lacking httpOnly or sameSite attributes.

All findings include CWE-79 classification, CVSS severity scoring, and AI-powered fix suggestions that generate properly escaped alternatives.