Cross-Site Scripting (XSS)

Preventing malicious attacks in web applications

What is XSS?

Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into web pages viewed by other users. This can lead to data theft, session hijacking, or unauthorized actions.

Types of XSS

  • Reflected: Script is reflected off the web server (e.g., via URL).
  • Stored: Script is permanently stored (e.g., in a database).
  • DOM-based: Vulnerability in client-side code manipulating the DOM.

How to Prevent XSS

1. Input Sanitization

Validate and sanitize all user input before rendering it on the page to remove dangerous characters.

2. Output Encoding

Use HTML, URL, or JavaScript encoding when injecting untrusted content into web pages.

3. Content Security Policy (CSP)

Implement a CSP header to restrict script sources and mitigate the impact of XSS.

Read full CSP guide

Simulated XSS Test

*Note: This is a safe sandboxed environment only for educational purposes.