Cross-site scripting (XSS) is the work of injecting scripts into the web page, usually via JavaScript. There’s three main types of XSS –  Stored, Reflected, and DOM based.

Note * For the examples you’ll see periods in the tags. WordPress automatically strips the script tags as part of their sanitization so they don’t get XSS’d. If copying+pasting these code snippets, make sure you remove the periods.

Stored XSS is when the script is injected into the webpage code so that anyone who loads that web-page runs that script. The script is stored in the actual code of the website and will execute everytime the page is loaded. An example of this is finding a user input box that does not sanitize the input so you can inject something like

<.script>alert(0)</.script>                 (Remember to remove periods)

which is now permanently in that code and whoever loads that page will get a popup saying “0”. This is also referred to as persistent, type I XSS.

Reflected XSS is not stored on the web server and code and is unique to a URL. This is also referred to as non-persistent XSS, type II. An example of this is}catch%28e%29{}%3balert%280%29%3btry{a%3d%22

The username=%22%3bblahblahblah string at the end is the URL encoded payload that when decoded is actually:


Once again, this gives a popup, like an alert, that just says “0”.

DOM Based XSS is when the script entered modifies the DOM of the webpage that’s executed in the context of the application. An example of data modifying the DOM is when you see a webpage with an input box and as soon as you start typing into that input box, the text is printed in real-time. This means the it takes user data and updates the DOM which could be without the user actually sending data to the server.