Application & Web Security: Lecture Notes

Cross-Site Scripting: This is another attack resulting from unchecked and unfiltered user input.

A user with malicious intentions might insert HTML or JavaScript code as their input into one of the input fields. If the entered input is unfiltered, the JavaScript code will execute on the pages of the users of the website. For example, the code might redirect the user to a hacker's infecting webpage. The attacker might also insert an HTML-only code, such as one that includes a link to such a dangerous website or, in some cases, simply annoys the users.

Other instances of Cross-Site Scripting might even break into users' sessions, steal personal information, or infect the users' systems, without even having the users click anything.

Let's look into the following fun interactive demo of Cross-Site Scripting:
https://www.hacksplaining.com/exercises/xss-stored.