What Is Cross-Site Scripting?
Cross-Site Scripting (XSS) is a vulnerability class where untrusted input is rendered by a browser as executable script instead of plain text, potentially allowing an attacker's script to run in another user's browser session. This overview is conceptual and defense-focused.
Categories of XSS
- Reflected XSS — malicious input is immediately reflected back in a response.
- Stored XSS — malicious input is saved on the server and served to other users later.
- DOM-based XSS — the vulnerability exists in client-side script processing rather than server responses.
conceptual — output encoding pattern
// Encode output based on context before rendering
render(escapeHtml(userInput));
Prevention Techniques
- Encode output appropriately for the context (HTML, attribute, JavaScript, URL).
- Use a strong Content Security Policy (CSP) to restrict script execution sources.
- Prefer frameworks that auto-escape output by default.
- Validate and sanitize input on the server side.
- Set the HttpOnly flag on sensitive cookies to reduce impact if XSS occurs.
This tutorial explains the concept for awareness and defense. It does not include working exploit scripts.