Cross-Site Scripting (XSS)
What is XSS?
Cross-Site Scripting (XSS) is a security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. XSS attacks can be used to steal session cookies, redirect users to malicious websites, or perform other harmful actions.
Types of XSS
There are three main types of XSS attacks:
- Stored XSS: The malicious script is stored on the server (e.g., in a database) and executed when the user views the affected page.
- Reflected XSS: The malicious script is reflected off a web server (e.g., in a URL or HTTP header) and executed immediately in the user's browser.
- DOM-based XSS: The malicious script is executed as a result of modifying the DOM (Document Object Model) of the web page.
Example of XSS
Here are some examples of XSS vulnerabilities:
<!-- Reflected XSS Example -->
<form action="search.php" method="get">
<input type="text" name="query">
<input type="submit" value="Search">
</form>
<!-- Vulnerable code -->
<?php echo $_GET['query']; ?>
<!-- Malicious input: -->
<script>alert('XSS Attack!')</script>
<!-- Stored XSS Example -->
<form action="comment.php" method="post">
<textarea name="comment"></textarea>
<input type="submit" value="Submit">
</form>
<!-- Vulnerable code -->
<?php echo $comment_from_db; ?>
<!-- Malicious input: -->
<script>document.cookie="stolen_cookie"</script>
<!-- DOM-based XSS Example -->
<a href="#" onclick="document.getElementById('output').innerHTML=location.hash">Click Here</a>
<div id="output"></div>
<!-- Malicious input: -->
http://example.com/#<script>alert('DOM XSS')</script>
XSS Playground
Try entering different inputs to see how XSS vulnerabilities can be exploited:
Back to Home