XSS (Cross-Site Scripting)
XSS injects malicious scripts into web pages viewed by other users.
Updated: 2026-03-06
Definition
Cross-Site Scripting (XSS) occurs when a web app includes untrusted data in a page without proper output encoding.
It can steal sessions, deface pages, or perform actions as the user.
Key points
- Stored / Reflected / DOM-based types
- Fix: output encoding + CSP
- WAF can reduce risk but doesn’t replace fixes
Common mistakes
- Assuming input validation alone prevents XSS.
- Not using CSP where appropriate.
Related exams
Related terms
Want to practice this in exam-style questions?
Use the mini tests on each exam page, then continue in the app for offline packs and detailed explanations.
Go to exams