Cross-Site Scripting (XSS) is a web application vulnerability where attackers inject malicious scripts into pages viewed by other users. When a site fails to properly sanitize user-supplied content, an attacker can embed JavaScript that executes in visitors’ browsers, stealing session cookies or capturing credentials.
Stored XSS is the most dangerous variant: malicious script is saved in the application’s database and served to every user who views the affected page. Both stored and reflected XSS exploit the browser’s trust in content served from the legitimate domain.
CISSP Relevance
Cross-site scripting is addressed in Domain 8 (Software Development Security). CISSP candidates must understand XSS types, prevention techniques including output encoding and Content Security Policy, and how application vulnerabilities create risks that extend to end users.
External reference: OWASP Cross-Site Scripting Reference
Related terms: SQL Injection, Secure Software Development Lifecycle