XSS

XSS injects attacker-controlled script into a web page that other users’ browsers then execute, enabling session-cookie theft, keylogging, and page defacement. Three variants: stored (persisted on the server, hits every viewer), reflected (bounced off a crafted link), and DOM-based (entirely client-side). Defenses are output encoding/escaping for the context, input validation, and a Content Security Policy; modern frameworks auto-escape by default, but unsafe sinks like innerHTML reopen the hole.