← Lessons

quiz vs the machine

Gold1410

Security

Cross Site Scripting Types

Stored, reflected, and DOM based XSS and the single output rule that stops them all.

5 min read · core · beat Gold to climb

What XSS Does

Cross site scripting lets an attacker run their own script in another user's browser, in the context of your site. With that foothold they can steal session cookies, log keystrokes, or rewrite the page.

The Three Types

  • Stored XSS saves the malicious script on the server, for example in a comment, so every viewer is attacked.
  • Reflected XSS bounces the script off the server inside a response, usually delivered through a crafted link.
  • DOM based XSS never touches the server: client side code reads an untrusted value and writes it into the page.

Stopping All Three

The unifying fix is context aware output encoding. Encode data for the exact place it lands, so HTML, attribute, and JavaScript contexts each get the right treatment. A modern template engine that auto escapes by default handles most cases.

  • Avoid building HTML with raw string concatenation.
  • Add a Content Security Policy as a strong second layer that blocks inline scripts.
  • Treat anything that writes to the page as a potential sink.

Key idea

XSS comes in stored, reflected, and DOM based forms, but all three are defeated by encoding output for the exact context it renders in, reinforced by a Content Security Policy.

Check yourself

Answer to earn rating on the learn ladder.

1. Which XSS type never involves the server?

2. What is the primary defense across all XSS types?

3. What does a Content Security Policy add?