XSS — Cross-Site Scripting
XSS is a client-side attack where an attacker injects malicious JavaScript into a webpage, which then runs in other users' browsers.
XSS Types
- Stored XSS: Payload saved in database (most dangerous). Every visitor gets attacked.
- Reflected XSS: Payload in URL. Victim must click a malicious link.
- DOM-Based XSS: Payload processed by client-side JavaScript without server interaction.
What Can XSS Do?
- Steal session cookies (account hijacking)
- Redirect to phishing pages
- Log keystrokes
- Deface websites
Prevention
- Always sanitize user input (use DOMPurify)
- Set HttpOnly flag on cookies
- Implement Content Security Policy (CSP) headers
- Use output encoding
Practice XSS safely in our ethical hacking sandbox!