Introduction
XSS happens when an attacker injects malicious JavaScript into a website.
That code runs in other users' browsers.
How It Works
If a website does not properly filter input, attackers can inject scripts.
Example:
<script>alert('Hacked')</script>If stored or reflected, this runs in the victim's browser.
What Attackers Can Do
- steal session cookies
- redirect users
- modify page content
- run actions as the user
Types of XSS
- Stored XSS, saved in the database
- Reflected XSS, coming from a URL or input
- DOM-based XSS
Why This Happens
The application trusts user input too much.
How It Is Prevented
- input validation
- output encoding
- using frameworks safely
Conclusion
XSS allows attackers to run code inside trusted websites.
Proper handling of user input is key to preventing it.