# 5.3 - Cross Site Scripting
### Topics
> 1. [ XSS Anatomy](broken://pages/WGykbCKyYjRsT8TCLnsi)
> 2. [Reflected XSS](broken://pages/9zEQjsDRvoElTrhJcjeb)
> 3. [Stored XSS](broken://pages/sIGdBlW38B4QM7ROZijM)
> 4. [DOM-Based XSS](broken://pages/V8aTZBUGMzSIsp0BojSh)
> 5. [Identifying & Exploiting XSS with XSSer](broken://pages/Dms69QkQmZtVs1hEwhuC)
{% embed url="" %}
## Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) constitutes a client-side web vulnerability enabling attackers to embed malicious scripts into web pages.
This vulnerability often arises from inadequate input sanitization/validation within web applications.
Attackers exploit XSS vulnerabilities to insert harmful code into web applications. Given that XSS is a client-side vulnerability, these scripts execute within the victim's browser.
XSS vulnerabilities impact web applications deficient in input validation and reliant on client-side scripting languages such as JavaScript, Flash, CSS, etc.
### Web Basics
* [Web Application Basics](https://attackdefense.com/listing?labtype=webapp-web-app-basics\&subtype=webapp-web-app-basics-getting-started)
* [Web Apps Tools of Trade](https://attackdefense.com/listing?labtype=webapp-tools-of-trade\&subtype=webapp-tools-of-trade-getting-started)
{% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/wH5bw6a9Xx1F2NPZKw0B" %}
[14 - Hacking Web Apps](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/main-contents/14-hacking-web-apps)
{% endcontent-ref %}
### Practise
🔬 There are many vulnerable testing web apps like:
* [Juice Shop - Kali Install](https://www.kali.org/tools/juice-shop/)
* [DVWA - Kali Install](https://www.kali.org/tools/dvwa/)
* [bWAPP](http://www.itsecgames.com/)
* [Mutillidae II](https://github.com/webpwnized/mutillidae)
DVWA
**The Damn Vulnerable Web Application (DVWA)** is a web application built with PHP and MySQL intentionally designed to be susceptible to security vulnerabilities. Its primary purpose is to serve as a resource for security professionals to assess their skills and tools within a legal context. Additionally, it aids web developers in gaining a deeper understanding of the processes involved in securing web applications and facilitates learning about web application security for both students and teachers in a controlled classroom setting.
DVWA is designed to provide a platform for practicing various common web vulnerabilities at different difficulty levels, all presented through a simple and user-friendly interface. It's important to note that there are deliberate both documented and undocumented vulnerabilities within the software, encouraging users to explore and identify as many issues as possible.
{% embed url="" %}
DVWA
{% endembed %}
{% embed url="" %}
#### DVWA - My Writeups
{% content-ref url="/spaces/rRWtuMw6xkkeDjZfkcWC/pages/EmtcnjNj2v4e1aU5r83h" %}
[DVWA](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/dvwa)
{% endcontent-ref %}
#### Theory and Lab platform
{% embed url="" %}
Web Burp Suite Security Academy
{% endembed %}
> #### ❗ Disclaimer
>
> **Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**
>
> ❗***Never run these techniques on un-authorized addresses***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/ecpptv2-ptp-notes/web-app-security/5.3-cross-site-scripting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.