Vulnerabilities

Cross-site scripting is one of those vulnerabilities that keeps showing up because it’s fundamentally simple: untrusted data ends up in a place where the browser treats it as code. But “XSS” isn’t just one thing. In practice, you’ll usually hear about three flavors: Reflected XSS Stored XSS DOM-based XSS They all end with attacker-controlled JavaScript running in a victim’s browser, but the way the payload gets there matters a lot for both exploitation and prevention. ...

Cross-site scripting, usually shortened to XSS, is one of those web security bugs that sounds old-school but still shows up everywhere. If you build web apps that display user-controlled content, you need to understand it. Not just the definition, but how it actually happens in real code. The short version: XSS happens when an attacker gets your site to treat untrusted input as executable code in the browser. Usually that means JavaScript, but the real issue is broader than “someone injected a script tag.” The browser is parsing HTML, attributes, URLs, CSS, and script contexts differently, and if you put user data into the wrong place without the right protection, the attacker can make the page do things you never intended. ...