DEV Community

Pratik Ambani
Pratik Ambani

Posted on

Explain Cross Site Scripting(XSS) attacks like I'm Five

Top comments (5)

faradayyg profile image
Friday Godswill

Say you live in an apartment, and you have an air conditioner. This air conditioner has a remote control which you use to regulate the temperature. But there's a problem. Your next door neighbour Samantha, has the same air conditioner, with the same remote. Which means Samantha could easily control your room temperature with her own remote if she was close enough. But Samantha isn't the only one with the same remote control. Pretty soon you find out the entire neighbourhood has the same remote. Troublesome isn't it?

Let's assume your house is a website, and your air conditioner is the front end. XSS can be likened to a situation where Samantha or any of your 100 neighbours use their own remote controls to manipulate your air conditioner without your permission.

nathanlade profile image

When it comes to finding the most affordable solution for your cooling needs, the cheapest DIY mini split system is an excellent choice. With its cost-effective design and straightforward installation process, you can save both time and money. And if you ever encounter any technical difficulties or have questions during the installation, you can rely on the exceptional support provided by MR COOL tech support. Their knowledgeable and responsive team is available to assist you every step of the way, ensuring a smooth and successful installation. The combination of the cheapest DIY mini split system and reliable MR COOL tech support offers homeowners the confidence and peace of mind they need to tackle their cooling project independently. So, whether you're looking to cool a single room or multiple areas, the cheapest DIY mini split system supported by MR COOL tech support is the ideal choice for achieving affordable and efficient cooling in your home or office.

bgadrian profile image
Adrian B.G. • Edited

You are 5y old, in a future Halloween. The trick or treat tradition is still around, but the technology evolved.

A bad kid (X) lives in your neighborhood, he wants many candies, but he is lazy so he decided to steal them from the other kids. X has very rich parents, has future 3D printers and other cool Spy tech.

Non-persistent XSS
X comes to your house, mounts a camera and sensors at your window to find out what are you going to wear. X buys a costume same as you, he records your voice and then he pretends is you for the entire night. He is going to all the houses and take the candies pretending is you.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability.[13] These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.


  • you weren't careful and didn't saw the camera and sensors out side of your window
  • the houses that gave candies trusted a mask, and didn't ask you to say your name or other things only you could knew

Persistent XSS
X is getting lazy, he found a new way to steal even more candies. He mounts a series of sensors and cameras on one of the neighbors lawn. Any kid that goes there is recorded, their costume and voice copied in X's computer.
X now can impersonate most of the kids and take candies in their names.


  • the neighbor with the lawn permitted X to install its hardware in his yard
  • the houses that gave candies trusted a mask, and didn't ask you to say your name or other things only you could knew

WIKIPEDIA - The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.[14]

houses that give candies - servers
X - the attacker
you and your friends - victims

theodesp profile image
Theofanis Despoudis

Its also named as XSS attacks

pratikaambani profile image
Pratik Ambani

Yep, buddy!
I've already added hashtag for XSS :)