What is XSS (Cross-Site Scripting)?
Turkish: XSS
XSS occurs when untrusted content runs as script in the browser, risking session theft, forged actions, and data exposure.
What is XSS?
XSS (Cross-Site Scripting) happens when attacker-controlled content runs as JavaScript in another user’s browser. It often comes from rendering user input into HTML without safe escaping: comments, profile fields, search results, URL parameters, and rich text editors are common entry points.
A successful XSS attack can steal session data, perform actions as the user, display fake forms, or exfiltrate sensitive information visible on the page.
Types of XSS
- Stored XSS: Malicious content is saved in the database and served to anyone who opens the affected page.
- Reflected XSS: Malicious data arrives in a URL or form request and is immediately reflected in the response.
- DOM-based XSS: The weakness is mainly in browser-side JavaScript that modifies the DOM unsafely.
Prevention
The main defense is context-aware output escaping and sanitization of untrusted HTML. Framework defaults in React, Vue, and similar tools should be preserved, while APIs such as innerHTML should be tightly controlled. Session cookies should use HttpOnly, Secure, and SameSite flags, and a CSP policy should limit which scripts can run.
XSS should not be confused with SQL Injection. SQL injection targets server-side database queries; XSS targets the user’s browser session. Both risks need code review, automated checks, and recurring security testing.
Related Terms
Clickjacking tricks users into clicking hidden or disguised interface elements, often by framing a trusted page inside another site.
CSP (Content Security Policy)CSP tells the browser which scripts, styles, images, and connections are allowed, limiting the impact of XSS and injection flaws.
CSRF (Cross-Site Request Forgery)CSRF tricks a logged-in user's browser into sending an unwanted state-changing request, often by abusing automatic cookies.
Security Headers (HTTP)Security headers are HTTP response rules that tell browsers how to load and protect a page, reducing XSS and clickjacking risk.
SQL InjectionSQL injection occurs when untrusted input is mixed into SQL queries, creating risks of data leaks, privilege abuse, or record deletion.