Cross Site Scripting (XSS)

4.

XSS Attack Classification

4.1.

4.1.1.

Attack Mechanism

4.1.1.1.

Data Persistence Layer

4.1.1.2.

Storage Locations

4.1.1.3.

Retrieval Triggers

4.1.1.4.

Multi-User Impact

4.1.2.

Common Vulnerable Components

4.1.2.1.

Comment Systems

4.1.2.2.

User Profile Fields

4.1.2.3.

Forum Platforms

4.1.2.4.

Content Management Systems

4.1.2.5.

4.1.2.6.

Product Review Systems

4.1.2.7.

File Upload Metadata

4.1.3.

Attack Scenarios

4.1.3.1.

Administrative Panel Targeting

4.1.3.2.

Mass User Exploitation

4.1.3.3.

Privilege Escalation Chains

4.2.

4.2.1.

Attack Mechanism

4.2.1.1.

Request-Response Cycle

4.2.1.2.

Parameter Reflection

4.2.1.3.

Social Engineering Requirements

4.2.1.4.

Single-Use Nature

4.2.2.

Common Vulnerable Components

4.2.2.1.

Search Functionality

4.2.2.2.

Error Page Generation

4.2.2.3.

URL Parameter Processing

4.2.2.4.

Form Validation Messages

4.2.2.5.

Redirect Mechanisms

4.2.3.

Attack Scenarios

4.2.3.1.

Phishing Campaign Integration

4.2.3.2.

Credential Harvesting

4.2.3.3.

Session Token Theft

4.3.

4.3.1.

Attack Mechanism

4.3.1.1.

Client-Side Processing

4.3.1.2.

DOM Manipulation

4.3.1.3.

JavaScript Execution Flow

4.3.1.4.

Browser-Only Exploitation

4.3.2.

Source Analysis

4.3.2.1.

4.3.2.1.1.

4.3.2.1.2.

4.3.2.1.3.

location.search

4.3.2.2.

Browser Objects

4.3.2.2.1.

document.referrer

4.3.2.2.2.

4.3.2.3.

Storage Mechanisms

4.3.2.3.1.

4.3.2.3.2.

4.3.2.3.3.

4.3.3.

4.3.3.1.

Direct DOM Manipulation

4.3.3.1.1.

innerHTML Property

4.3.3.1.2.

outerHTML Property

4.3.3.1.3.

document.write Method

4.3.3.2.

JavaScript Execution

4.3.3.2.1.

4.3.3.2.2.

Function Constructor

4.3.3.2.3.

setTimeout with String

4.3.3.2.4.

setInterval with String

4.3.3.3.

Navigation Control

4.3.3.3.1.

location.assign

4.3.3.3.2.

location.replace

4.3.3.3.3.

4.4.

Specialized XSS Types

4.4.1.

4.4.1.1.

Social Engineering Tactics

4.4.1.2.

User Manipulation Techniques

4.4.1.3.

Corporate Environment Risks

4.4.2.

4.4.2.1.

Out-of-Band Detection

4.4.2.2.

Administrative Interface Targeting

4.4.2.3.

Log File Exploitation

4.4.3.

4.4.3.1.

Browser Parsing Inconsistencies

4.4.3.2.

DOM Mutation Events

4.4.3.3.

Filter Bypass Techniques

Previous

3. XSS Terminology and Concepts

Go to top

Next

5. Attack Vectors and Injection Points