What is XSS (Cross-Site Scripting)?

Turkish: XSS

XSS occurs when untrusted content runs as script in the browser, risking session theft, forged actions, and data exposure.

What is XSS?

XSS (Cross-Site Scripting) happens when attacker-controlled content runs as JavaScript in another user’s browser. It often comes from rendering user input into HTML without safe escaping: comments, profile fields, search results, URL parameters, and rich text editors are common entry points.

A successful XSS attack can steal session data, perform actions as the user, display fake forms, or exfiltrate sensitive information visible on the page.

Types of XSS

  • Stored XSS: Malicious content is saved in the database and served to anyone who opens the affected page.
  • Reflected XSS: Malicious data arrives in a URL or form request and is immediately reflected in the response.
  • DOM-based XSS: The weakness is mainly in browser-side JavaScript that modifies the DOM unsafely.

Prevention

The main defense is context-aware output escaping and sanitization of untrusted HTML. Framework defaults in React, Vue, and similar tools should be preserved, while APIs such as innerHTML should be tightly controlled. Session cookies should use HttpOnly, Secure, and SameSite flags, and a CSP policy should limit which scripts can run.

XSS should not be confused with SQL Injection. SQL injection targets server-side database queries; XSS targets the user’s browser session. Both risks need code review, automated checks, and recurring security testing.