Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users.

Three main types:

1. Stored XSS (Persistent): Malicious script stored on server

   • Example: Comment section storing <script>alert('XSS')</script>

2. Reflected XSS (Non-persistent): Script reflected from request

   • Example: Search parameter displayed without encoding

3. DOM-based XSS: Vulnerability in client-side JavaScript

   • Example: document.write(location.hash.substring(1))

Impact: Session hijacking, credential theft, defacement, malware distribution

Prevention: Input validation, output encoding, Content Security Policy (CSP), sanitization