Cross-site scripting (XSS) is a type of injection attack in which the attacker injects malicious scripts into web pages viewed by other users. This can lead to session hijacking, theft of sensitive information, and other malicious activities.
Common Types of XSS
- Reflected XSS: The malicious script is embedded in a URL and reflected by the server, so when a user clicks on the URL, the script is executed.
- Persistent XSS: The malicious script is stored on the server and executed when users access the affected page.
- DOM-based XSS: The malicious script is executed in the client's browser, not on the server.
Prevention Measures
- Input Validation: Validate user input to ensure it conforms to expected formats.
- Output Encoding: Encode user input to prevent it from being interpreted as HTML or JavaScript.
- Content Security Policy (CSP): Use CSP to control the sources from which content can be loaded and executed.
XSS Attack Diagram
Learn More
To learn more about XSS and web security, visit our Web Security section.