Cross-Site Scripting (XSS)

See how attackers run malicious JavaScript in your users' browsers by injecting code into a trusted website.

Concept Overview

Imagine a site that says "Hello, [Name]". If you enter <script>alert(1)</script> and the site shows it literally, the script runs.

Real attacks don't use alerts. They steal sessions, hijack clicks, or redirect users to malicious clones of your site.