Home/Glossary/Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Web SecurityAlso called: "xss", "cross site scripting", "script injection"

XSS attacks exploit trust that users have in a website by injecting malicious code.

Attack types

  • Reflected XSS: Malicious script in URL parameters, reflected back in response.
  • Stored XSS: Malicious script stored in database, executed when page loads.
  • DOM-based XSS: Client-side JavaScript manipulates DOM unsafely.
  • Mutation XSS: Exploits browser parser quirks and mutations.

Common attack vectors

  • Form inputs and search boxes.
  • URL parameters and query strings.
  • HTTP headers (User-Agent, Referer).
  • File uploads with user-controlled content.
  • Third-party widgets and embedded content.

Impact

  • Session hijacking (steal cookies/tokens).
  • Credential theft via fake login forms.
  • Malware distribution and phishing.
  • Defacement and content manipulation.
  • Keylogging and user monitoring.

Prevention

  • Input validation: Whitelist allowed characters and patterns.
  • Output encoding: HTML-encode all untrusted data before rendering.
  • Content Security Policy (CSP): Restrict script sources.
  • HttpOnly cookies: Prevent JavaScript access to session cookies.
  • X-XSS-Protection header: Legacy browser XSS filter.
  • Framework auto-escaping: Use template engines that escape by default.

Testing

  • Try common payloads: <script>alert(1)</script>
  • Test encoding bypasses: URL encoding, Unicode, etc.
  • Check contexts: HTML, JavaScript, CSS, URL.
  • Use automated scanners and manual testing.

Real-world examples

  • MySpace Samy worm (2005): Spread via XSS, infected 1M users.
  • Twitter XSS (2010): Spread via hovering over tweets.
  • British Airways (2018): Data breach via XSS injection.

Related Tools

Related Articles

View all articles
30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

Master cloud security with 30 actionable tips covering AWS, Azure, and GCP.

Read article →
CORS Security Guide: Preventing Cross-Origin Attacks and

CORS Security Guide: Preventing Cross-Origin Attacks and

Learn how to implement secure CORS policies, avoid common misconfigurations like wildcard origins and origin reflection, and protect your APIs from cross-origin attacks.

Read article →
How to Extract and Analyze Cookies from Your Browser

How to Extract and Analyze Cookies from Your Browser

Learn how to view, export, and analyze HTTP cookies from Chrome, Firefox, Edge, and Safari using browser DevTools. Includes security analysis tips.

Read article →
What Is a CDN? Content Delivery Network Guide

What Is a CDN? Content Delivery Network Guide

✅ Last Updated: January 29, 2025 • What a CDN is, how it works, pricing, providers, and setup steps

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Read more →

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties in web applications.

Read more →
Back to glossary