# XSS

Cross-Site Scripting (XSS) attacks are a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject malicious scripts into content that other users see and interact with.&#x20;

The goal of such attacks is usually to steal session cookies or other sensitive information from victims, impersonate users, or manipulate the victim's experience on a website to serve the attacker's purpose.

{% @mailchimp/mailchimpSubscribe %}

#### Categories of XSS Attacks

1. **Stored XSS**: The malicious script is permanently stored on the target server, such as in a database, and is then presented to end users within the web app.
2. **Reflected XSS**: The script is included in a request made to the server and then reflected back in such a way that the script is executed in the user's browser.
3. **DOM-based XSS**: The attack occurs within the victim’s browser without involving the web server, typically by manipulating the browser's DOM with client-side scripts.

#### Defensive Measures

* Sanitize user inputs by filtering out or encoding special characters such as `<`, `>`, and `&`.
* Use Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed.
* Employ security-aware coding practices, library functions, and frameworks that automatically handle some aspects of security.

It's important for developers to remain vigilant and consistently apply security updates to mitigate XSS vulnerabilities. Regular security audits and code reviews can help detect potential XSS vulnerabilities.

{% embed url="<https://owasp.org/www-community/xss-filter-evasion-cheatsheet>" %}

{% embed url="<https://www.youtube.com/watch?v=9__4zIfkPQE>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ejpt-certification.certs-study.com/web-attacks/xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.