What is an XSS vulnerability?

An XSS vulnerability is a hole in a website that lets bad code sneak in and run in your browser, like stealing passwords or changing what you see.

7 min read min de lecture

~$ man xss

What is an XSS vulnerability?

Security gneurone encyclopedia
An XSS vulnerability is a hole in a website that lets bad code sneak in and run in your browser, like stealing passwords or changing what you see.

definition

XSS stands for Cross-Site Scripting. It is a security flaw where an attacker injects malicious JavaScript into a trusted website so the code runs in the browsers of other visitors.

The attack works because the site fails to validate or escape user input before displaying it. Common results include stolen cookies, session hijacking, and forced actions on behalf of the victim.

There are three main types: reflected XSS (via URL), stored XSS (saved on the server), and DOM-based XSS (client-side manipulation).

Imagine a public bulletin board where anyone can pin notes. If the board does not check the notes, an attacker pins a fake sign that says 'give me your wallet' and people follow it without realizing the sign is fake.

key takeaways

  • XSS lets attackers run their own code inside a victim's browser session.
  • It happens when web apps display user input without proper escaping or sanitization.
  • Attackers often use it to steal login tokens or perform actions without user consent.
  • Modern prevention uses content security policy headers and strict input validation.
  • Automated scanners and code reviews catch most XSS issues before deployment.

the 2026 job market

By 2026 web application security roles remain in high demand because every company runs customer-facing sites and APIs. Job titles include application security engineer, penetration tester, and secure code reviewer. Companies prioritize candidates who can find and fix injection flaws like XSS during development rather than after breaches.

Application Security Engineer · US $115k-155k / Canada $105k-140k / UK £70k-95kPenetration Tester · US $95k-135k / Canada $90k-125k / UK £60k-85k

frequently asked questions

How do you prevent an XSS vulnerability in code?

Escape all output, use templating engines that auto-escape, and add a strict Content-Security-Policy header. Regular code reviews and automated scanning tools also reduce risk.

What is the difference between reflected and stored XSS?

Reflected XSS arrives in a URL or form and bounces back immediately. Stored XSS saves the malicious script on the server so it runs for every visitor who loads the page.

Can an XSS vulnerability affect mobile apps?

Yes. Hybrid and web-view based mobile apps that load untrusted content can execute injected scripts just like browsers. Native apps are less exposed but still need input validation.

Is an XSS vulnerability the same as SQL injection?

No. SQL injection targets the database layer while XSS targets the browser. Both are injection flaws but they exploit different parts of the application stack.

courses to go further

Web Application Security
45 lessonsWeb Application SecurityEnroll →
$ cat ./full-guide.mdWeb Application Security : les 9 étapes clés pour passer de zéro à opérationnelread the guide →

related terms

SQL injectionOWASPcybersecurityethical hackinga pentest
< back to the encyclopedia

Auteur(s)

R

REHOUMA Haythem

Haythem Rehouma est un ingénieur et architecte IA et cloud, formateur et enseignant technique, avec un profil orienté IA médicale, AWS, MLOps, LLM/RAG et vision par ordinateur.