Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended.


Some website features commonly vulnerable to XSS attacks are:


Search Engines

Login Forms

Comment Field



There are three types of XSS attacks


Local – Local XSS attacks are by far the rarest and the hardest to pull off. This attack requires an exploit for a browser vulnerability. With this type of attack, the hacker can install worms, spambots, and backdoors onto your computer.

Non-Persistent – Non-persistent attacks are the most common types of attack and don’t harm the actual website. Non-persistent attacks occur when  a scripting language that is used for client-side web development or HTML is inserted into a variable which causes the output that the user sees to be changed. Non-persistent attacks are only activated when the user visits the URL crafted by the attacker.


Persistent – Persistent attacks are usually used against web applications like guest books, forums, and shout boxes. Some of the things a hacker can do with a persistent attacks are:

    Steal website cookies

    Deface the website

    Spread Worms



Reflective XSS Attack



Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself.


1:First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields. Once we found the input field, let us try to put some string inside the field, for instance let me input "abcd". It will display the  result “hi abcd”.It means reflective script is working in website.


2:  let us make sure whether the site is completely vulnerable to attack by injecting a full javascript code.  For instance, let us input


<script>alert('abcd')</script>.Now it will display pop-up box with 'abcd' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.