XSS runs attacker's JavaScript in another user's browser—stealing cookies, performing actions as the victim.
Types
- Stored — script saved in DB (comments field)
- Reflected — script in URL echoed immediately
- DOM-based — unsafe JavaScript writes URL fragment to page
Defenses
- Output encoding for HTML context
- Content-Security-Policy (CSP) headers
- HttpOnly cookies
Important interview questions and answers
- Q: CSP?
A: Browser policy restricting script sources. - Q: Encode on output?
A: Match context—HTML vs attribute vs JS.
Self-check
- Name two XSS types.
- Name two defenses.
Tip: Default CSP report-only in staging before enforce in production.
Interview prep
- Stored XSS?
Malicious script persisted and served to other users.