GLOSSARY / Cross-Site Scripting (XSS)

What is Cross-Site Scripting (XSS)?

A web vulnerability that lets an attacker run their JavaScript in another user’s browser session.

XSS happens when an app reflects or stores untrusted input into a page without proper output encoding (CWE-79). The injected script runs with the victim’s privileges — stealing cookies, hijacking sessions, or defacing the page.

Types include reflected, stored (persistent), and DOM-based XSS.

How to defend

Context-aware output encoding, a strict Content-Security-Policy, and treating all input as untrusted. Use framework auto-escaping.

Related free tools

HTTP Headers → Encoder/Decoder →

Part of the Ciphers Security glossary. Free reference for analysts, defenders & learners.

What is Cross-Site Scripting (XSS)?

Related free tools

Related terms