Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnCross Site ScriptingXSS: The Browser is the Database
Cross Site Scripting·Lesson 1 of 12

XSS: The Browser is the Database

Cross-Site Scripting turns the browser into an execution host. One unescaped string and the attacker runs JavaScript in your user session.

Beginner12 min
XSSOWASPWeb
Loading lesson…
NextReflected XSS

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy

Cross-Site Scripting has been a fixture of the OWASP Top 10 since its inception. Classified as A03:2021 Injection alongside SQLi, XSS exploits the browser's trust in the response it receives from the server. When a web application reflects user input without escaping it, the browser cannot distinguish between code the developer wrote and code the attacker injected.

What you'll be able to do
  • Define reflected XSS and explain the root cause (CWE-79).
  • Craft a payload that executes JavaScript via unescaped HTML reflection.
  • Distinguish between HTML context, attribute context, and JavaScript context injection.
  • Describe the Samy worm and how it propagated without patches.
Key terms
Reflected XSS
A subtype of XSS where the injected payload is part of the current request (e.g. a search query) and is reflected back in the server response immediately. The victim must be tricked into sending the malicious request.
Stored XSS
A subtype where the payload is persisted on the server (e.g. in a comment or profile field) and served to every visitor who views the affected page. No phishing is required.
Context-aware escaping
The practice of applying the correct encoding scheme based on where the value lands — HTML body, HTML attribute, CSS, JavaScript string, or URL.
Content Security Policy (CSP)
A browser security header that restricts which scripts can execute. A strict CSP blocks inline event handlers and eval even if an injection point exists.
What is it?

The browser is the database

XSS inverts the SQL injection model. Instead of injecting code into the database, you inject code into the browser — but the mechanism is the same: user input is treated as code instead of data. A search results page that echoes the query string is the canonical example. When the server renders <p>You searched for: $query</p>, any HTML the attacker places inside $query becomes part of the DOM.

The standard proof-of-concept payload <script>alert(1)</script> shows a dialog box in the browser. If the server reflects the query unescaped, the browser parses the injected script tag and executes it. The `alert()` is a stand-in for anything an attacker might want to run — reading cookies, exfiltrating tokens, or rewriting the page.

Not all payloads need a <script> tag. Event handlers in HTML attributes also execute JavaScript: <img src=x onerror="alert(1)"> fires when the browser fails to load the image, and <a href="javascript:alert(1)">click</a> runs code on click. The browser provides dozens of script execution surfaces — the attacker only needs one to slip through.

Data flow in a reflected XSS attack
Mini Map
Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.
Try it

Search box that reflects input

Type a product name into the search field below, then try a payload like <script>alert(1)</script>. The search page reflects your query literally — and unsafely — back into the page. Toggle safe mode to see how HTML escaping neutralises the attack.

prod/products?q=
shop-frontend
shop-frontend · search

Search products

Find what you are looking for in our catalogue.

Search results0 results
Type a query and press search to see results.
htmlvulnerable
<!-- VULNERABLE - raw reflection -->
<p>You searched for:
  <script>alert(1)</script>
</p>
Real-world relevance

The Samy worm: 1 million friends in 20 hours

In October 2005, a 19-year-old security researcher named Samy Kamkar found a stored XSS vulnerability on MySpace. MySpace had filtered out<script>,<body>, andonclick but missedonmouseover combined withbackground: url('javascript:…')in CSS. Samy crafted a profile page that, when viewed, added the viewer as a friend and copied the payload to the viewer's own profile. The worm propagated exponentially, reaching over one million MySpace users within 20 hours — the first major XSS worm in history. MySpace had to shut down temporarily and Samy was sentenced to three years probabrtsdc resulting in the first felony conviction for a social-networking worm.

The Samy worm is the canonical case study because it demonstrates how XSS can self-propagate without any server-side exploit. The attack surface was a single unescaped field in the user profile, and the impact was a platform-wide outage. More recently, the British Airways 2018 data breach involving 380,000 payment records began with an XSS vulnerability in a third-party JavaScript library.

Mitigation

Defence in depth for the browser

The primary defence is context-aware escaping — the application must encode values differently depending on whether they appear in an HTML element body, an attribute, a JavaScript string, or a URL. Server-side template engines like React's JSX escape HTML by default, butdangerouslySetInnerHTMLand similar APIs opt out of that protection and must be audited carefully.

javascriptvulnerable
// VULNERABLE - unescaped HTML reflection
res.send('<p>You searched for: ' + query + '</p>');

// SAFE - context-aware escaping
res.send('<p>You searched for: ' + escapeHtml(query) + '</p>');

// SAFE - Content Security Policy header
res.setHeader('Content-Security-Policy',
  "default-src 'self'; script-src 'self'");
// A strict CSP blocks inline scripts and eval() even
// if an injection point exists in the HTML.

A Content Security Policy (CSP) acts as a safety net. Even if escaping fails, a strict CSP prevents the browser from executing inline scripts or making requests to unknown origins. The combination of server-side escaping and a strict CSP is the industry standard for XSS defence. Input validation (e.g. rejecting HTML in search queries) is a useful additional layer but must never be the sole defence, since attackers find encoding bypasses.

Further reading
  • OWASP Top 10 - A03:2021 Injection(OWASP)
  • CWE-79: Cross-Site Scripting(MITRE)
  • Samy Kamkar — The MySpace Worm (technical write-up)(Samy Kamkar)
Key takeaways

What to remember

  • XSS is an injection bug where user input lands in an HTML context and is interpreted as code by the browser.
  • <script>alert(1)</script> is the proof of concept, but event handlers like onerror and onmouseover are equally dangerous.
  • Context-aware escaping is the primary defence — encode differently for HTML body, attributes, JavaScript, and URLs.
  • Content Security Policy provides a safety net even when escaping fails. Use both, not one.
  • The Samy worm (MySpace 2005) proved XSS can self-propagate and cause platform-wide outages without touching the server.

Knowledge check

0/3 answered · 0 correct

  1. 1.What is the root cause of reflected XSS?

  2. 2.Which of the following is NOT a valid XSS payload?

  3. 3.How did the Samy worm on MySpace propagate to over one million users?