Back to course

OWASP Top 10: Cross-Site Scripting (XSS)

Cyber Security Mastery: From Zero to Hero

A03:2021 - Injection (Specifically XSS)

Cross-Site Scripting (XSS) occurs when an attacker can inject client-side script (usually JavaScript) into a web page viewed by other users. This allows the attacker to execute code in the victim's browser.

Types of XSS

  1. Stored XSS (Persistent): The malicious script is permanently stored on the target server (e.g., in a database comment field). Every user who views the page gets infected.
  2. Reflected XSS (Non-Persistent): The script is injected via the URL (a link). The server reflects the script back to the user's browser, which then executes it.

XSS Impact

Attackers use XSS to:

  • Steal Cookies/Session IDs: Hijacking the victim's login session.
  • Keylogging: Capturing keystrokes within the browser.
  • Redirection: Redirecting the user to a malicious website.

Defense: Output encoding. Any user-supplied data displayed on the page must be converted so the browser treats it as harmless text rather than executable HTML or JavaScript.