Loading vulnerability page...

Interactive attack atlas

Choose any tab from the left. This story shows how a hidden script can ride inside a normal page like a trojan horse and attack visitors.

XSS The Trojan Horse Safe output encoding
How to do it
The trojan horse

Cross-Site Scripting Story

Unlike SQL injection, XSS turns the site against other visitors by hiding code inside a page they trust.

Story animation
Press play to watch the script get planted, delivered, executed, and then neutralized safely.
Public comment box
A normal page feature becomes the hiding place.
<script>steal_cookies()</script>
Stored comment with hidden script
Server storage
The application stores the comment where future visitors will load it.
comments
Nice article!
<script>steal_cookies()</script>
Victim browser
An innocent visitor opens the same page to read comments.
Loading page comments...
Nice article!
<script>steal_cookies()</script>
Ghost in the browser
The browser thinks the website told it to run this code.
trusted page renders comment ➜ browser sees script tag ➜ code runs
Cookie jar
Session cookie grabbed
Impersonation
The stolen session token lets the attacker act like the victim.
Victim profile
Messages
Settings
Account access
Cookie sent back to attacker
Hacker now acts as the victim
Sanitizer defense
Output encoding turns active code into plain visible text.
Output encoding spray
The browser now just displays the weird text instead of running it.
The lesson:

XSS is a trojan horse inside the page. Encoding and sanitizing user content keeps it as text, so the browser never mistakes it for trusted instructions.

Press play to see how a hidden script can attack the visitors instead of the server database.

Quick understanding

1. A malicious script is planted into public content.
2. The website later serves that content to normal visitors.
3. The victim browser runs it because it trusts the page context.
4. Session cookies or private data can be stolen.
5. The attacker can then impersonate the victim.
6. Output encoding turns the script into harmless visible text.

Real defenses that matter

Always encode user content for the exact place where it will be displayed so text stays text inside the browser.
Understanding

XSS attacks the browser side. The danger is not the database itself, but what the visitor’s browser is tricked into doing.

Why it matters

A script hidden in a trusted page can steal sessions, read data in the browser context, and abuse the victim’s account.

Defense mindset

Escape output, sanitize carefully, set CSP, and avoid rendering untrusted HTML directly into the page.

Common signs

Unexpected page behavior, strange redirects, session abuse, or odd content executing inside comments are strong warning signs.

BrowserCookiesEncodingSanitization