Understanding XSS: Types, Exploits, and Effective Defenses

XSS (Cross Site Scripting) is a web‑based attack similar to SQL injection, where malicious scripts are injected into pages to gain control of a user's browser.

Non‑persistent XSS

A non‑persistent (reflected) XSS attack is one‑time only; it occurs when a user follows a crafted URL that contains malicious script, which is executed immediately by the browser.

Example: an attacker provides a URL that, when visited, injects a script causing an alert box with the message "attacked" to appear.

Another crafted URL can modify the page source to embed malicious code directly.

The resulting page source shows the injected script.

Persistent XSS

Persistent (stored) XSS stores malicious data on the server, so the attack persists across page loads. For example, an attacker posts a comment containing <img src=0 onerror=alert(5)/>; the comment is saved in the database, and every page that displays the comment triggers the alert.

XSS Defense

Basic principle: Never trust any user‑provided input.

Validate and filter all parameters and submitted content.

Common escaping techniques:

html_escape

javascript_string_escape

url_escape

css_string_escape

Set proper character encoding to avoid issues such as UTF‑7 XSS.

Set correct Content‑Type headers to prevent JSON‑based XSS.

Examples:

In PHP, use htmlspecialchars() for output escaping.

In Java, use libraries such as WASP Java Encoder or Coverity Security Library (CSL).