What Is Cross-Site Scripting?

Cross-Site Scripting (XSS) is a vulnerability class where untrusted input is rendered by a browser as executable script instead of plain text, potentially allowing an attacker's script to run in another user's browser session. This overview is conceptual and defense-focused.

Categories of XSS

  • Reflected XSS — malicious input is immediately reflected back in a response.
  • Stored XSS — malicious input is saved on the server and served to other users later.
  • DOM-based XSS — the vulnerability exists in client-side script processing rather than server responses.
conceptual — output encoding pattern
// Encode output based on context before rendering
render(escapeHtml(userInput));

Prevention Techniques

  1. Encode output appropriately for the context (HTML, attribute, JavaScript, URL).
  2. Use a strong Content Security Policy (CSP) to restrict script execution sources.
  3. Prefer frameworks that auto-escape output by default.
  4. Validate and sanitize input on the server side.
  5. Set the HttpOnly flag on sensitive cookies to reduce impact if XSS occurs.

This tutorial explains the concept for awareness and defense. It does not include working exploit scripts.