Cross-Site Scripting (XSS) is a vulnerability that allows an attacker to inject malicious JavaScript into web pages that are then executed in the browsers of other users. When a web application includes untrusted data in its output without proper validation or encoding, it creates an opportunity for attackers to execute scripts in the context of the victim's session, potentially stealing cookies, redirecting users, or modifying page content.
How It Works
XSS comes in three main variants. Reflected XSS occurs when user input from a request is immediately echoed back in the response without sanitization. The attacker crafts a malicious URL containing a script payload and tricks the victim into clicking it. The server reflects the payload in the response, and the victim's browser executes the script.
Stored XSS occurs when malicious input is saved to the server (in a database, comment field, or profile) and displayed to other users who view the affected page. This variant is more dangerous because it does not require the victim to click a crafted link; simply viewing the page triggers the script. Every user who visits the page becomes a victim.
DOM-based XSS occurs entirely in the browser when client-side JavaScript processes untrusted data and inserts it into the DOM in an unsafe way. The malicious payload may never reach the server, making it invisible to server-side security controls.
Defenses against XSS include output encoding (converting special characters to their HTML entities before rendering), Content Security Policy headers (restricting which scripts can execute), and input validation (rejecting or sanitizing dangerous characters). Context-aware encoding is essential because data rendered in HTML, JavaScript, CSS, and URL contexts each require different encoding schemes.
Why It Matters
XSS is one of the most prevalent web application vulnerabilities. It enables session hijacking, account takeover, phishing, defacement, and malware distribution. Security assessments systematically test every input point and output context for XSS, including reflected, stored, and DOM-based variants, because even a single instance can compromise any user who encounters the affected page.
Need your application tested? Get in touch.