Skip to main content

Pentrova is launching soon. Join the waitlist for early access.Join the waitlist

Glossary · Injection

Cross-Site Scripting (XSS)

An injection flaw where attacker-controlled data reaches a browser-side scripting sink, letting the attacker execute script in the victim's session origin.

Explainer

What it is#

comes in three canonical shapes. Reflected echoes attacker input from the request back into the response. Stored persists the payload in a data store and serves it to every subsequent reader. DOM never touches the server — client script reads attacker-controlled data from the URL, window.name, or postMessage and writes it to a sink like innerHTML or eval.

Why it matters#

A successful runs in the victim’s origin. That means session cookies, stored tokens, and every same-origin API are under attacker control for the duration of the page. Stored on a high-traffic page scales the blast radius to every visitor, not just one.

Mitigation direction#

Treat all data as untrusted and encode it context-correctly — HTML, attribute, JavaScript, URL, and CSS contexts each require different encoders. A strict Content-Security-Policy with script-src 'self' plus nonces or hashes blocks most inline-injection classes outright. Ban dangerous sinks (innerHTML, document.write, eval) in code review.

Related terms

  • Log4Shell (CVE-2021-44228)

    A remote code execution flaw in Apache Log4j 2.x where JNDI lookups inside logged strings caused servers to fetch and execute attacker classes.

  • SQL Injection (SQLi)

    An injection flaw where attacker-controlled input is concatenated into a SQL statement, letting the attacker read, modify, or exfiltrate database content.

  • XML External Entity (XXE)

    A defect in XML parsers that dereference external entity declarations, letting attackers read local files, trigger SSRF, or exhaust resources.

← Back to the glossary

Site search

↑↓ navigateEnter openEsc close