Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a critical web security vulnerability that allows attackers to inject malicious client-side scripts—typically JavaScript—into web pages viewed by other users. It occurs when a web application fails to properly validate, sanitize, or encode user-supplied input before rendering it in the browser. The browser then executes the injected code as if it were legitimate content from the trusted website, enabling attackers to steal session cookies, hijack user accounts, capture login credentials, redirect users to phishing sites, or deface web pages.

XSS is commonly categorized into three types: Stored XSS (malicious script is permanently saved on the target server), Reflected XSS (script is reflected off a web server via a URL or form submission), and DOM-based XSS (the vulnerability exists in client-side code rather than server-side). Preventing XSS requires a combination of rigorous input validation, output encoding, use of Content Security Policy (CSP) headers, and leveraging modern frameworks that auto-escape rendered content. XSS remains one of the most prevalent vulnerabilities listed in the OWASP Top 10, making its mitigation essential for any secure web application.