Hacking Tutorials XSS

Persistent, Reflected, DOM-based and Self XSS attacks

Welcome back XSSers. Today we will talk about Persistent, Reflected and DOM-based XSS attacks. Without wasting any time lets get straight to today’s topic.

Types Of Cross Site Scripting (XSS) attacks

XSS attacks can be categorized on the basis of who is executing the script as follows:

  1. Reflected XSS :  When malicious script is executed by the client because of the vulnerability in a webpage
  2. Stored XSS : When malicious script is executed by the server because of the vulnerability in a webpage
  3. DOM-based XSS : When malicious script is executed by the client by using DOMr

If you didn’t understand a word. Don’t worry keep reading.

Reflected/Non-Persistent XSS

Most of the XSS vulnerabilities are exploited by a reflected XSS attack. Its very simple, you enter a malicious script in a input form which is vulnerable to XSS and the script gets executed. If you want to attack a user, you can simply send him a link with your malicious script.

For example, I exploited a website’s search form and the webpage which executed my malicious script has the following URL:


Now if I send this link to someone and he opens it then my malicious script will be executed in his browser. This kind of XSS i.e. Reflected XSS is temporary as it can be executed only when you visit a malicious URL.

Persistent/Stored XSS

This type of XSS occurs when a hacker injects a malicious script and it gets stored in the database of the website and gets executed every time when a user visit the infected page. Yes. I said it gets stored.
For example,

presistent stored XSS tutorial

This input form is vulnerable to XSS in which I have entered my malicious script.

Now my comment i.e. malicious script will get stored in the database of the website and everyone visiting the page that I have commented on will get a pop up like this:

DOM based XSS example

A hacker can easily insert a cookie stealing script, a redirection script, a phishing page and what not?


Wait..What is DOM? Well Document Object Model (DOM) is a thing which allows the client side script (i.e. JavaScript) to modify the content and layout of a webpage.

Take a look at this code

var pos=document.URL.indexOf("input=")+6;  //finds the position of value 
var userInput=document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput)); //writes content to the webpage

This code is vulnerable to DOM based XSS as it renders the webpage according the input submitted by the user. So a hacker might send a link like example.com/index/doc.php?m=Click <a href=”phishing_site.com”>here</a>.

Which will render the page like this:

DOM based XSS

So I can send this to anyone and their browser will render the this page and not the server.

Self XSS

Well these are the three basic types of an XSS based attacks. Actually there is one more which often gets excluded while someone talks about XSS i.e. Self XSS.
A hacker may ask you to open up the developer console (opens with Ctrl+Shit+I in Firefox) and ask you enter a script there:
self xss example tutorial
No! You are not hacking anyone’s email account by pasting some script in here. You got tricked by hacker! This is an example of self XSS where the user attacks himself. *Suicide LOL*
That’s all folks!
We will keep discovering the vast world of XSS in upcoming articles.
Till then keep hacking keep XSSing!

Also Read: How to find Admin Panel of a website?

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.


Click here to post a comment

    • Self XSS
      Complexity: Very High (Victim needs to inject the payload himself)
      Impact: Very low

      DOM XSS
      Complexity: Medium (Hard to detect)
      Impact: Medium (As same as regular XSS)

      There’s no need to post about self XSS but I think i would write an article about DOM Based XSS in future.

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.