Cybersecurity Shield
warning CRITICAL VULNERABILITY DETECTED

Cross-Site Scripting
(XSS)

When a website blindly trusts user input, hackers can inject malicious scripts. Learn how it works, why it's dangerous, and how to shield your applications.

terminal What is XSS?

Cross-Site Scripting (XSS) is a security vulnerability where an attacker injects malicious scripts (usually JavaScript) into a trusted website. When other users view the infected page, their browser executes the script, thinking it's legitimate code from the website.

  • cookie Steal Cookies: Attackers can hijack user sessions and take over accounts.
  • visibility Spy on Users: Log keystrokes, capture screenshots, or track browsing history.
  • theater_comedy Deface Websites: Change the content or appearance of the site for visitors.
victim-browser.exe
// Normal Website Code

Welcome, User!

Here is your comment:


// INJECTED MALICIOUS SCRIPT

The Attack Simulation Lab

Try to hack this mock application. Then, turn on defenses to stop yourself.

security Defense Console

Output Escaping
Converts special chars to HTML entities
Content Security Policy
Blocks inline scripts execution

Try these payloads:

Hello World
https://vulnerable-social-media.com/feed lock

Admin

Welcome to the feed! Feel free to leave a comment below.

Analysis Log

Waiting for input...

The 3 Flavors of XSS

Stored XSS

1. Stored XSS

Most Dangerous

The malicious script is permanently stored on the server (e.g., in a database). Every time a victim loads the page, the server serves the script to them.

Example: A malicious comment on a blog post that hacks every reader.
Reflected XSS

2. Reflected XSS

Most Common

The script is part of the request (e.g., URL parameters) and the server reflects it back in the response immediately. It's not stored.

Example: A phishing link site.com?search=