> For the complete documentation index, see [llms.txt](https://infosecgirls.gitbook.io/infosecgirls-training/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infosecgirls.gitbook.io/infosecgirls-training/appsec/web-application-pentesting/a7-cross-site-scripting.md). # A7 - Cross-Site Scripting (XSS) XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications. Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. * [**DOM XSS**](https://appsec-cali.gitbook.io/appseccali/v/appsec/web-application-pentesting/a7-cross-site-scripting/dom-xss)\*\*\*\* * [**Reflected XSS**](https://appsec-cali.gitbook.io/appseccali/v/appsec/web-application-pentesting/a7-cross-site-scripting/reflected-xss)\*\*\*\* * [**Stored XSS**](https://appsec-cali.gitbook.io/appseccali/v/appsec/web-application-pentesting/a7-cross-site-scripting/stored-xss) * [**XSS - Sending data to remote server**](https://appsec-cali.gitbook.io/appseccali/v/appsec/web-application-pentesting/a7-cross-site-scripting/advanced-xss-sending-data-to-remote-server) **Impact** The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering malware to the victim. **How to Prevent** Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by: * Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered. * Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The [OWASP Cheat Sheet ‘XSS Prevention’](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) has details on the required data escaping techniques. * Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs as described in the [OWASP Cheat Sheet ‘DOM based XSS Prevention’](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html). * Enabling a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) as a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infosecgirls.gitbook.io/infosecgirls-training/appsec/web-application-pentesting/a7-cross-site-scripting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.