Skip to main content
Image for post: Web security: XSS

Web security: XSS

Cross site scripting is a serious thing

XSS is one of the most common security issues we have to worry about. It can be simple to prevent it but sometimes it's not. We must pay attention not only on our PHP code but even on HTML and Javascript ocde without forgetting old browsers. Some malicious users can use old version of Internet Explorer to explore the DOM and take advantage of some bug or vulnerability. Here I'll try to go more in-depth with XSS.

What is XSS?

XSS or Cross Site Scripting is a web application vulnerability that occurs when untrusted data from the user is processed by the web application without validation and is reflected back to the browser without encoding or escaping, resulting in code execution at the browser engine.

Types of XSS

  • Reflected XSS or Non-Persistent XSS
  • Stored XSS or Persistent XSS
  • mXSS or Mutation XSS
  • RPO XSS or Relative Path Overwrite XSS

Reflected XSS or Non-Persistent XSS

A user sends untrusted data to the browser that it sends them to the server. The server sends the result back to the browser and the user. Here is a link with many useful resources.

Stored XSS or Persistent XSS

Data are sent to the browser that it sends them to the server. The server sends them to a database, the result is sent back to the server, the browser and the user. In this case untrusted data can be stored in a database permanently.

RPO Relative Path Overwrite XSS

Depends on three things

  • Stored XSS that allows CSS injection
  • URL rewriting (DEMO)
  • Relative Addressing to CSS style sheet

How it works

  • It takes advantage of CSS parser that it avoids HTML
  • URL rewriting to load CSS from the same page
  • Works on older versions of IE
  • More info
  • DEMO

Sources of XSS

  • URL, parameters in URL, Headers
  • Form data (input box, textarea, checkboxes etc.)
  • Files and metadata

Different Contexts in XSS

  • HTML
  • Attribute
  • URL context
  • Style
  • Script: not only server side but even client side. We must pay attention when developing and deploying code.


A testing tool can be used to discover and explore vulnerabilities too. Here are some of the most common tools: