Cyfotok Labs logo
CyfotokCyfotok Labs
DashboardPathsLabsLeaderboardPricingFor Colleges
Sign up
LoginSignup
  1. Home
  2. /
  3. Guides
  4. /
  5. What Is Cross-Site Scripting (XSS)?
Cybersecurity BasicsEnglish

What Is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) injects malicious JavaScript into web pages viewed by other users. It steals cookies, hijacks sessions, and defaces sites. Three types — reflected, stored, and DOM-based — each with distinct exploitation patterns you can practice in Cyfotok XSS labs.

Published 1 June 2025Updated 1 June 2026

Reflected XSS

Payload in URL or form is immediately reflected in the response. Victim clicks a crafted link. Example: search box displays unescaped query parameter.

Stored XSS

Payload saved in database (comment, profile bio) and served to every visitor. Higher impact — one injection affects all users.

DOM-based XSS

JavaScript on the page reads attacker-controlled input (location.hash, postMessage) and writes it to DOM via innerHTML without sanitization.

Impact and mitigation

Impact: session theft, keylogging, phishing overlays. Mitigation: output encoding, Content-Security-Policy, HttpOnly cookies, input validation.

Practice this in a lab

  • Open xss comments lab →

Frequently asked questions

XSS vs SQL injection?
SQLi targets the server database. XSS targets other users' browsers via the website.

Related guides

  • XSS Lab Practice Guide

    XSS lab practice guide: reflected, stored, and DOM-based cross-site scripting labs on Cyfotok with tutorials.

  • OWASP Top 10 Explained for Beginners

    OWASP Top 10 explained simply: injection, broken auth, XSS, and more. Practice each risk category on Cyfotok Labs.

  • How to Learn SQL Injection — Step by Step

    Learn SQL injection step by step: login bypass, UNION attacks, blind SQLi. Practice hands-on with Tanglish tutorials on Cyfotok Labs.

  • What Is CSRF (Cross-Site Request Forgery)?

    What is CSRF (Cross-Site Request Forgery)? Learn how attackers forge requests and practice CSRF labs on Cyfotok.

Ready to practice?

Practice XSS labs