Cross-site scripting (XSS) is a type of vulnerability that allows an attacker to inject malicious code into a website that is accessed by other users. When a user accesses the infected website, the injected code is executed by the user's web browser and allows the attacker to steal sensitive information such as login credentials or perform other malicious actions on behalf of the user.
There are two types of XSS attacks:
- Reflected XSS: In this type of attack, the malicious code is inserted into a request to the web server and then sent back to the user in the server's response. For example, an attacker could create a URL with malicious code and then send the link to a victim via email or social media. When the victim clicks on the link, the code is executed by the victim's browser.
- Stored XSS: In this type of attack, the malicious code is stored on the web server and made available to users when they access a particular page or function. For example, an attacker could post a message on a forum that contains malicious code and then wait for other users to see the message and execute the code in their browsers.
XSS attacks can be mitigated by measures such as validating and sanitising input and using technologies such as Content Security Policy (CSP) to limit the types of resources a website is allowed to load and execute.