XSS Attack Flow: Mermaid Flowchart Diagram

About Source

Cross-Site Scripting (XSS) is a class of injection attack where malicious JavaScript is injected into a web page and executed in the victim's browser, giving the attacker access to everything the JavaScript security model can access: cookies, session storage, DOM contents, and the ability to make authenticated requests.

There are three main XSS variants. Reflected XSS occurs when a server reflects unsanitized user input directly in the HTML response. The attacker crafts a URL containing a malicious script payload in a query parameter, tricks the victim into clicking it, and the server echoes the script into the page. Stored (persistent) XSS is more dangerous: the attacker submits a malicious script to a form (comment, profile field, message), the server saves it to the database, and every user who subsequently views that content executes the script. DOM-based XSS happens entirely client-side — a JavaScript framework reads from location.hash, document.referrer, or other attacker-controlled sources and writes unsanitized values into the DOM.

The impact of a successful XSS attack is severe. An attacker can steal non-HttpOnly cookies and forward them to a remote server, log every keystroke (credential harvesting), modify page content (phishing), make API requests as the authenticated user, and establish persistent backdoors via service workers.

Prevention layers: output encoding — always encode untrusted data before inserting it into HTML, JavaScript, CSS, or URL contexts using context-aware encoding (the root cause of most XSS is encoding the wrong way or not at all). Content Security Policy (CSP) restricts which scripts can execute — see Content Security Policy Flow. HttpOnly cookies prevent script access to session cookies — see Secure Cookie Flow. Input validation and sanitization (using an allowlist, not a blocklist) are additional layers but not substitutes for output encoding.

Frequently asked questions

XSS (Cross-Site Scripting) is an injection attack where malicious JavaScript is injected into a web page and executed in a victim's browser. The attacker's script runs within the origin of the target site, giving it access to cookies, session storage, DOM content, and the ability to make authenticated API requests on the victim's behalf.

Reflected XSS: the server echoes unsanitized input from a URL parameter back into the HTML response — the attacker tricks the victim into clicking a crafted URL. Stored XSS: the malicious script is persisted to the database and served to every user who views that content. DOM-based XSS: client-side JavaScript reads from an attacker-controlled source (such as `location.hash`) and writes it into the DOM without sanitization.

Output encoding transforms characters with special meaning in a given context (HTML, JavaScript, CSS, URL) into their escaped equivalents, so they are rendered as text rather than interpreted as code. For example, `<` becomes `<` in HTML context. Context-aware encoding is critical — HTML encoding a value inserted into a JavaScript string literal is insufficient.

XSS executes attacker-controlled code within the victim's browser on the target origin, giving the attacker full script access. CSRF tricks the victim's browser into sending a request to the target origin from an external page, exploiting automatic cookie sending. XSS is generally more powerful — an XSS payload can bypass CSRF protections by reading and submitting valid CSRF tokens.

mermaid

flowchart TD
    subgraph Stored XSS Attack
        A[Attacker submits malicious payload\nto comment or profile form\neg. script alert document.cookie script] --> B[Server stores payload\nin database without sanitization]
        B --> C[Victim visits page\nthat renders stored content]
        C --> D[Server returns HTML\nwith malicious script embedded]
        D --> E[Browser executes\ninjected JavaScript]
        E --> F[Script reads HttpOnly=false cookies\nand session storage]
        F --> G[Script sends stolen data\nto attacker-controlled server]
        G --> H[Attacker hijacks user session]
    end

    subgraph Defenses
        I[Encode all output\nbefore inserting into HTML/JS/CSS] --> J[Apply Content Security Policy\nblock inline scripts]
        J --> K[Set cookies HttpOnly\nprevent JS cookie access]
        K --> L[Validate and sanitize\nall user inputs with allowlist]
    end

    E -.->|Blocked by| J
    F -.->|Blocked by| K