What is Cross-Site Scripting (XSS)?

Definition

XSS

What is Cross-Site Scripting?

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Stored XSS persists the payload in the application's database; reflected XSS delivers it via a crafted URL; DOM-based XSS manipulates client-side JavaScript. Successful XSS attacks can steal session cookies, capture keystrokes, redirect users to phishing pages, or silently perform actions on behalf of victims.

Related terms

Cross-Site Request Forgery (CSRF) →

An attack that tricks an authenticated user's browser into submitting an unauthorized request to a web application where the user is currently logged in.

SQL Injection (SQLi) →

An injection attack where malicious SQL statements are inserted into application input fields that are passed unsanitized to a database query, allowing attackers to manipulate query logic.

Payload →

The component of an attack that performs the attacker's intended malicious action after a vulnerability has been triggered.

Web Application Firewall (WAF) →

A security control that monitors, filters, and blocks HTTP/HTTPS traffic between clients and a web application based on rule sets designed to detect common attack patterns.

Put this into practice

Autonomous OWASP vulnerability scanning →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.