Cross-Site Scripting (XSS) Explained: Stored, Reflected, and DOM Attacks

Introduction

Modern web applications feel faster, smarter, and more interactive than ever before. Dashboards update instantly, forms respond in real time, and content adapts dynamically to users. However, this same interactivity has kept cross-site scripting attacks relevant even in 2026.

Cross-site scripting, commonly known as XSS, remains one of the most abused web vulnerabilities. Despite years of awareness, attackers still find ways to inject malicious scripts into trusted websites. Once successful, those scripts execute directly inside a victim’s browser.

Because XSS targets users rather than servers, the impact often goes unnoticed until real damage occurs. Therefore, understanding how XSS works, and how its different forms behave, is essential for anyone building or maintaining web applications today.

cross-site-scripting-xss-explained

What Is Cross-Site Scripting?

Cross-site scripting is a web security vulnerability that allows attackers to inject malicious JavaScript into a trusted website. When users visit the affected page, the browser executes the injected script as if it were legitimate.

In simple terms:

  • The website trusts user input
  • The application displays that input without proper handling
  • The browser executes the injected script

The attacker does not hack the server directly. Instead, they exploit how the application processes and displays data.

XSS is dangerous because it allows attackers to:

  • Steal session cookies
  • Hijack logged-in user sessions
  • Modify page content
  • Perform actions on behalf of users

Because the attack runs in the browser, traditional server-side security controls often miss it.

How Cross-Site Scripting Attacks Work

Although XSS has different forms, the core idea remains the same.

  1. An application accepts input
  2. That input is not properly validated or escaped
  3. The application outputs the input back to users
  4. The browser executes malicious code

The key mistake lies in trusting user-controlled data. Whenever an application treats untrusted input as safe output, XSS becomes possible.

Stored XSS Explained

What is Stored XSS?

Stored XSS occurs when malicious input is permanently saved on the server. This input is later displayed to users without proper sanitisation.

Common storage locations include:

  • Comment sections
  • User profiles
  • Support tickets
  • Forum posts

How Stored XSS Works

An attacker submits a script as input. The application stores it in the database. Every time another user loads the affected page, the script executes automatically.

Because the payload persists, stored XSS is often considered the most dangerous type.

Why Stored XSS Is Dangerous

  • Affects multiple users
  • Executes without user interaction
  • Can target privileged accounts
  • Harder to detect once deployed

Reflected XSS Explained

What is Reflected XSS?

Reflected XSS occurs when malicious input is reflected immediately in the server’s response without being stored.

This usually happens in:

  • Search results
  • Error messages
  • URL parameters

How Reflected XSS Works

The attacker crafts a malicious link containing a script. When the victim clicks the link, the application reflects the input back in the response. The browser executes the script instantly.

Unlike stored XSS, the payload does not persist. However, social engineering often makes this attack effective.

Why Reflected XSS Still Works

  • Users trust familiar websites
  • URLs are rarely inspected closely
  • Messages appear contextually relevant

Therefore, even temporary injection can cause serious harm.

DOM-Based XSS Explained

What is DOM-Based XSS?

DOM-based XSS occurs entirely within the browser. The server may be secure, but client-side JavaScript processes untrusted data insecurely.

DOM refers to the Document Object Model, which represents the structure of a web page in the browser.

How DOM-Based XSS Works

JavaScript reads data from:

  • URL fragments
  • Browser storage
  • Page parameters

If the script writes this data back into the page without validation, malicious code executes.

Because the server never sees the payload, traditional security tools often miss this attack.

Why DOM-Based XSS Is Increasing

  • Heavy use of JavaScript frameworks
  • Client-side rendering
  • Dynamic content updates

As applications become more interactive, DOM-based XSS becomes harder to avoid.

Why XSS Still Exists in Modern Frameworks

Many developers assume modern frameworks automatically prevent XSS. While they help, they do not eliminate risk.

Improper output handling

Escaping data in one context does not make it safe everywhere.

Dangerous APIs

Functions that directly manipulate HTML can introduce risk.

Third-party components

Libraries may introduce unsafe rendering behaviour.

Developer assumptions

Trusting internal data sources often leads to blind spots.

Therefore, XSS remains a practical threat even in modern applications.

Real-World XSS Scenario

A web dashboard allows users to customise display names. An attacker enters a script instead of text.

The application stores the value and displays it across the platform. When an administrator views the dashboard, the script executes and silently steals their session.

No malware is installed. No server is compromised. Yet the attacker gains privileged access.

This scenario shows how small input-handling mistakes can escalate quickly.

Why Cross-Site Scripting Attacks Are Hard to Detect

XSS attacks blend into normal application behaviour.

Scripts look legitimate

Browsers cannot distinguish intent.

Traffic appears normal

Requests follow valid application flows.

Client-side execution

Many security tools focus on server activity.

Low noise

Attackers can target specific users quietly.

As a result, prevention is more effective than detection.

Impact on Businesses / Individuals

For Businesses

  • Account takeover incidents
  • Data leakage
  • Brand trust damage
  • Compliance failures
  • Costly incident investigations
  • Increased support burden

For Individuals

  • Session hijacking
  • Credential theft
  • Privacy violations
  • Loss of trust in applications
  • Exposure to further attacks

How to Prevent Cross-Site Scripting Attacks

Preventing XSS requires discipline at multiple levels.

Validate and sanitise input

Never trust user-provided data.

Escape output by context

HTML, JavaScript, and URLs require different handling.

Avoid dangerous rendering methods

Limit direct DOM manipulation where possible.

Use strict content security policies

Reduce the impact of injected scripts.

Review third-party components

Dependencies can introduce hidden risks.

Educate development teams

Understanding XSS reduces recurring mistakes.

Detailed guidance on XSS prevention is documented by OWASP in its official Cross-Site Scripting resources: Read more

Why XSS Is a Design Problem, Not Just a Coding Bug

XSS often results from assumptions made during design. When applications assume input is safe, vulnerabilities follow.

Therefore, preventing XSS requires thinking about data trust boundaries early, not patching issues later.

Conclusion

Cross-site scripting attacks remain a powerful and relevant threat because they exploit trust between users and applications. Stored, reflected, and DOM-based XSS may differ in execution, but all rely on the same underlying issue: improper handling of untrusted data.

By adopting secure design principles, consistent output handling, and developer awareness, organisations can significantly reduce XSS risk. At eSHIELD IT Services, we help teams identify hidden injection flaws and build applications that protect users by default.

Ultimately, XSS prevention is not about blocking creativity. It is about ensuring trust in every interaction.

FAQ

What is cross-site scripting (XSS)?

It is a vulnerability that allows malicious scripts to run in users’ browsers.

Is XSS a server-side attack?

No, it executes on the client side.

Which type of XSS is most dangerous?

Stored XSS often has the widest impact.

Can modern frameworks prevent XSS?

They help, but do not eliminate risk entirely.

Is XSS still common in 2026?

Yes, especially in complex web applications.

Does HTTPS prevent XSS?

No, HTTPS does not stop script injection.

Can XSS lead to account takeover?

Yes, by stealing session data.

Is input validation enough?

No, output escaping is equally important.

Can CSP fully stop XSS?

No, but it reduces impact.

Who is responsible for preventing XSS?

Developers, security teams, and reviewers together.

Call Us