Cross-Site Scripting (XSS) Explained — 2026
June 6, 2001 · by Pentevo
Cross-Site Scripting (XSS) is a web vulnerability where an attacker gets their script to run in another user's browser, in the context of a trusted site. It's a long-standing entry in the OWASP Top 10 family. Here's a defender-focused explainer.
The core idea
Browsers trust the code a website sends them. If a site takes user input and reflects it back into a page without proper encoding, an attacker can sneak in markup or script that the victim's browser then executes — as if the site authored it. The canonical teaching example is an unescaped <script>alert(1)</script> appearing in a page, which demonstrates the browser running attacker-controlled content.
Again, the lesson is the root cause: untrusted input rendered into a page without encoding.
The three types
- Stored XSS — the malicious input is saved (e.g., in a comment) and served to everyone who views it. Most dangerous.
- Reflected XSS — the input is echoed back immediately (e.g., in a search result or error), usually via a crafted link.
- DOM-based XSS — the flaw is in client-side JavaScript that writes untrusted data into the page.
Why it matters
Running script in a victim's session can mean stealing session cookies, hijacking accounts, keylogging, defacing pages, or redirecting users — all under the trusted site's name.
How to prevent it
- Output encoding — encode data for the exact context it's placed in (HTML, attribute, JavaScript, URL). This is the primary defense.
- Use frameworks that auto-escape — React, Angular, and others encode by default; don't defeat them with raw HTML injection APIs.
- Content Security Policy (CSP) — a strong second layer that limits what scripts can run.
- Validate and sanitize rich input (e.g., with a trusted HTML sanitizer) when you must allow some markup.
- HttpOnly cookies — so stolen scripts can't read session cookies as easily.
How it's found
Authorized testers check whether inputs are reflected without encoding, using tools like Burp Suite — always within scope, to fix before attackers exploit it. See What Is Penetration Testing? and SQL Injection Explained for the related injection class.
Want to learn web security hands-on? The free Pentevo Academy covers it end to end.
Related reading
VPN Explained: What It Does (and Doesn't) — 2026
How a VPN actually works, what it protects you from, what it doesn't, and how to choose one — without the marketing hype.
FundamentalsWhat Is Penetration Testing? A Beginner's Guide (2026)
A plain-English guide to penetration testing: what it is, the five phases, the main types, and how it differs from a vulnerability scan.
FundamentalsZero-Day Vulnerabilities Explained (2026)
What a zero-day vulnerability is, why it's so dangerous, how zero-day exploits are used, and what defenders can do about the unknown.
FundamentalsWhat Is a CVE? Understanding Vulnerability IDs (2026)
What CVE means, how the numbering works, how CVSS severity and EPSS scores help you prioritize, and how to track the CVEs that matter.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free