Cross-Site Scripting (XSS)
highWhat is XSS?
Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into web pages viewed by other users. The browser executes the script because it trusts the content served by the website.
How it works
An attacker finds an input field or URL parameter that reflects user input without sanitization. They craft a payload containing JavaScript that executes in the victim's browser context, stealing cookies, session tokens, or redirecting to malicious sites.
Impact
Session hijacking, credential theft, defacement, malware distribution, and complete account takeover. In stored XSS, every user who views the affected page is compromised.
ShieldReport uses Dalfox and headless browser testing to inject test payloads and observe DOM changes. We detect reflected, stored, and DOM-based XSS variants.
How to fix it
Sanitize all user input using context-aware encoding. Use Content-Security-Policy headers to restrict inline script execution. Implement HttpOnly cookies to prevent JavaScript access to session tokens.
Code example
Vulnerable
// VULNERABLE: directly inserting user input
app.get('/search', (req, res) => {
res.send('<h1>Results for: ' + req.query.q + '</h1>')
})Secure
// SECURE: encoding output
import { encode } from 'html-entities'
app.get('/search', (req, res) => {
res.send('<h1>Results for: ' + encode(req.query.q) + '</h1>')
})Related CVEs
Tags
Is your site vulnerable to XSS?
Run a free scan to find out in under 2 minutes.
Scan Now