Cross-Site Scripting Tutorial

Cross-site Scripting is an attack where the attacker will enable to insert client-side script into the application to gain access control and data of the application. An example of common Cross-Site Scripting that I do believe everyone is well-aware of it can be seen as below

<script>alert(“XSS Vulnerabilities”)</script>

An example of Cross-Site Scripting code can be seen as below

An example of Cross-Site Scripting Attack

For those are no knowledge on Cross-Site Scripting, there are around 4 types of Cross-Site Scripting

  • Non-persistent( Reflected)
  • Persistent( On Stored)
  • Server-side vs DOM-based vulnerabilities
  • Self-XSS
  • Mutated XSS ( mXSS)

Below is another way for the Cross-Site Scripting attack:

  • Basic payload (<script>alert(“XSS Vulnerabilities”)</script>)
  • Img Payload(<img src=x onerror=alert(‘XSS Vulnerabilities’);>)
  • Svg Payload( <svgonload=alert(1)>)
  • Div Payload(<div onpointerover=”alert(45)”>XSS Vulnerabilities</div>)


To secure the website from XSS Vulnerability, the admin needs to modify the code so that the attacker will not use the code. The coding that secures the website from XSS Vulnerability that needed to be modified is such as

echo ‘Output’ .htmlspecialchars($_GET[‘name’]);

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *