Type of XSS :

• Reflected XSS : occurs when user input is immediately returned by a web app in an error message, search result, or any other response that includes some or all of the input provided by the user as part pf the request.
• Stored XSS : occurs when user input is stored on the target server (such as in a database, in a message forum, visitor log, comment field, etc).
• DOM Based XSS : is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script

---

Types of Cross-Site Scripting :

• Client XSS : occurs when untrusted user supplied data is used to update the DOM with an unsafe Javascript call.
• Server XSS : occurs when untrusted user supplied data is included in an HTTP response generated by the Server.

XSS	Server	Client
Stored	Stored Server XSS	Stored Client XSS
Reflected	Reflected Server XSS	Reflected Client XSS

• DOM-Based XSS is subset of Client XSS (where the data source is from the client only).

Examples :

Reflected client XSS :

<!DOCTYPE html>
<html>
<body>
    <h2>Recherche (Reflected Client XSS)</h2>
    <div id="result"></div>

    <script>
        // Obtenir la requête de recherche depuis l'URL et l'afficher
        var searchTerm = new URLSearchParams(window.location.search).get('search');
        if (searchTerm) {
            document.getElementById('result').innerHTML = 'Résultats pour : ' + searchTerm;
        }
    </script>
</body>
</html>

Reflected server XSS :

<?php
// reflected_xss.php
?>
<!DOCTYPE html>
<html>
<body>
    <h2>Recherche (Reflected Server XSS)</h2>
    <form method="get" action="">
        <input type="text" name="search" placeholder="Recherche...">
        <input type="submit" value="Rechercher">
    </form>

    <?php
    if (isset($_GET['search'])) {
        echo "Résultats de recherche pour: " . $_GET['search'];
    }
    ?>
</body>
</html>

Stored client XSS :

<!DOCTYPE html>
<html>
<body>
    <h2>Notes personnelles (Stored Client XSS)</h2>
    <input type="text" id="noteInput" placeholder="Écrivez votre note ici">
    <button onclick="saveNote()">Sauvegarder</button>
    <div id="notes"></div>

    <script>
        // Fonction pour sauvegarder une note dans localStorage
        function saveNote() {
            var note = document.getElementById('noteInput').value;
            localStorage.setItem('note', note);
            showNotes();
        }
        // Fonction pour afficher les notes
        function showNotes() {
            var note = localStorage.getItem('note');
            if (note) {
                document.getElementById('notes').innerHTML = note;
            }
        }
        // Afficher les notes au chargement de la page
        showNotes();
    </script>
</body>
</html>

Stored server XSS :

<?php
// stored_xss.php
session_start();

$messageFile = 'messages.txt';

// Ajouter un message au fichier
if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['message'])) {
    file_put_contents($messageFile, $_POST['message'] . "\n", FILE_APPEND);
}

// Lire les messages existants
$messages = file_exists($messageFile) ? file($messageFile, FILE_IGNORE_NEW_LINES) : [];
?>
<!DOCTYPE html>
<html>
<body>
    <h2>Livre d'or</h2>
    <form method="post" action="">
        <textarea name="message"></textarea>
        <input type="submit" value="Envoyer">
    </form>

    <h3>Messages:</h3>
    <div>
        <?php foreach ($messages as $message): ?>
            <p><?php echo $message; ?></p>
        <?php endforeach; ?>
    </div>
</body>
</html>

---

Defenses :

Recommended Server XSS Defenses :

Server XSS is caused by including untrusted data in an HTML response. The easiest and strongest defense against server XSS :

• Context-sensitive server side output encoding.

Recommended Client XSS Defenses :

Client XSS is caused when untrusted data is used to update the DOM with an unsafe JS call.

• Using safe JavaScript APIs

How to mitigate XSS :

• Response Headers

  • x-xss-protection

    • 0

      Disables XSS filtering.  
      

    • 1

      Enables XSS filtering (usually default in browsers). If a  cross-site scripting attack is detected, the browser will sanitize the  page (remove the unsafe parts).  
      

    • 1; mode=block

      Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.  
      

    • 1; report= (Chromium only)

      Enables XSS filtering. If a cross-site scripting attack is  detected, the browser will sanitize the page and report the violation.  This uses the functionality of the CSP [`report-uri`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive to send a report.  
      

    Cette fonctionnalité est désormais considérée comme obsolète et a été supprimée de la plupart des navigateurs modernes. On utilise à la place “Content Security Policy”.

• Filter User input

  • htmlspecialchars( string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, ?string $encoding = null, bool $double_encode = true ): string

• Restrict user input

• Client Side vs Server side