Cross-site scripting (XSS) is a web application vulnerability in which an attacker injects script into a page that is then executed by another user’s browser. Because the script runs in the security context of the legitimate site, it can read session cookies, modify the page, capture keystrokes, or perform actions as the victim.
Three classic variants
Reflected XSS occurs when user input from a request is echoed back in the response without proper encoding. The attacker crafts a malicious URL and tricks a victim into clicking it; the server reflects the payload, which then executes in the victim’s browser. Common in search forms and error messages.
Stored XSS persists the malicious payload on the server (database, file system, cache) and serves it to other users who visit the affected page. Forum posts, comments, product reviews, and admin panels are typical injection points. Stored XSS is the most damaging variant because each visit triggers the payload without further interaction.
DOM-based XSS happens entirely in the browser: client-side JavaScript reads user input (URL fragment, query parameter, postMessage) and writes it into the DOM unsafely. The server may never see the payload, which makes detection harder with server-side controls alone.
Impact
An attacker with XSS in an authenticated context can steal session tokens (where cookies are not marked HttpOnly), perform actions as the victim, deface the page, redirect to a phishing site, deliver malware, or capture form input including credentials and payment data. On administrative panels XSS often leads to full account takeover and further compromise.
Defences
The primary defence is context-aware output encoding: HTML-encode untrusted data when writing into HTML, JavaScript-encode when writing into scripts, URL-encode when writing into URLs, and so on. Use frameworks that encode by default (React, Vue, Angular) rather than hand-rolled string concatenation. Mark session cookies HttpOnly and Secure. Set a strict Content Security Policy (CSP) so that inline scripts and untrusted origins cannot execute even if injection succeeds. Sanitise user-supplied HTML using a vetted library such as DOMPurify when rich text is legitimately required.
Related terms
See also: cross-site request forgery (CSRF), Burp Suite, and web application penetration testing.
Leave a Reply