Cross-Site Scripting (XSS)
What is Cross-Site Scripting (XSS)?
Cross-Site Scripting, or XSS, is a web vulnerability that allows attacker-controlled script content to run in a user's browser because the application handles untrusted input unsafely.
Examples
- A comment field on a website stores malicious script, and every visitor who loads the page has that script executed in their browser.
- An attacker sends a victim a crafted link to a vulnerable web app, and the page reflects malicious script back to the browser when the link is opened.
Discover 🔎
Browsers are built to trust the websites they load. If a bank, portal, dashboard, or customer platform sends code to the browser, the browser assumes that code belongs to the site and should be executed under that site’s rules. XSS takes advantage of that trust.
The attacker does not need to break into the browser directly. Instead, they find a way to make the trusted website deliver attacker-controlled script to the victim. Once that happens, the victim’s browser may run the malicious code as though it were a legitimate part of the page.
Summary 📝
Cross-Site Scripting is a web vulnerability that allows attacker-controlled script to run in a victim’s browser because an application handles untrusted content unsafely. Its danger comes from abusing browser trust in a legitimate site, which can lead to session theft, page manipulation, and user compromise. Strong defense depends on safe output handling, careful development practices, and layered browser-side protections.
Tip: The interactive version includes progress tracking, decks, and premium deep dives.