Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a security vulnerability typically found in web applications that threat actors exploit to compromise user sessions, deface websites, or redirect users to malicious sites. XSS enables attackers to inject malicious code in browser-side scripts of web pages viewed by other users. 

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy, which permits scripts contained in a first web page to access data in a second web page only if both web pages have the same origin. The attacker will inject malicious scripts into content from otherwise reliable websites, which is then executed by a user’s browser, leading to theft of cookies, session tokens, and similar information retained by the browser.

To protect against XSS, web developers can employ secure programming techniques, such as using frameworks that automatically escape XSS by design, implementing content security policy (CSP) headers, and running security scans and code reviews to detect potential XSS vulnerabilities.