Cross-Site Scripting (XSS)

Cross-Site Scripting is one of the most prevalent web application security vulnerabilities, consistently ranking in the OWASP Top 10. XSS attacks occur when an application accepts user input and sends it back to a browser without properly validating or escaping that content. This allows attackers to execute arbitrary JavaScript in the context of the victim's browser session.

There are three primary types of XSS: Stored XSS, where the malicious script is permanently stored on the target server (e.g., in a database or message forum); Reflected XSS, where the script is reflected off a web server in error messages or search results; and DOM-based XSS, where the vulnerability exists entirely in client-side code.

The impact of XSS can be severe. Attackers can steal session cookies and hijack user accounts, deface websites, redirect users to malicious sites, capture keystrokes, or perform actions on behalf of authenticated users. In some cases, XSS can be chained with other vulnerabilities to achieve remote code execution on the server.

Effective defences include implementing Content Security Policy (CSP) headers, encoding all user-supplied output based on the context in which it appears (HTML, JavaScript, URL, CSS), using modern frameworks that auto-escape by default, and validating input on both the client and server sides.