Cross-Site Scripting (XSS) occurs when an attacker inserts malicious JavaScript or other code into a web page that unsuspecting users then execute in their browsers. The code runs with the same permissions as the legitimate website, giving attackers access to sensitive information like login cookies, personal data, or payment details.
XSS attacks happen in three main ways:
- Stored XSS: Attackers permanently inject code into a website's database. Every visitor who loads that page downloads and runs the malicious code.
- Reflected XSS: Attackers craft a malicious link that, when clicked, sends code to a website which echoes it back. Only users who click the link are affected.
- DOM-based XSS: Vulnerabilities in how websites handle client-side code allow attackers to modify the page's structure in a user's browser.
Why XSS matters: Your browser trusts code from websites you visit. If a site isn't properly validating and sanitising user inputs (like comments, search fields, or usernames), attackers can exploit this trust to steal session cookies, redirect you to phishing sites, or modify page content to trick you into revealing passwords.
As a user, you can reduce risk by keeping browsers and plugins updated, using script-blocking extensions cautiously, and being suspicious of unusual links from untrusted sources. Website developers prevent XSS by validating all user inputs, encoding data before displaying it, and using Content Security Policy headers to restrict where scripts can load from.