BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. XSS
Bug Bounty

XSSCross-Site Scripting

Definition

Vulnerability where attacker-controlled JavaScript executes in a victim's browser under a trusted domain's context. Session theft, account takeover, and targeted phishing.

Three flavours: Reflected (payload in URL/params, reflected unsanitised), Stored (payload persists in backend and triggers when others load it), DOM-based (injection happens client-side via insecure JS).

Impact in bug bounty: depends on scope and domain. XSS on login = ATO via cookie theft → high payout. XSS on the main site with HttpOnly cookies → reduced impact (defacement, phishing). Persistent stored XSS on someone else's profile = the classic juicy one.

Modern defence: strict CSP (no inline scripts, nonce per request), context-aware encoding (HTML, URL, JS, CSS are distinct), framework templating that escapes by default (React JSX, Vue {{ }}).

Related terms

  • SQLi
  • IDOR
  • SSRF

Latest articles on Bug Bounty

  • →Repo jacking on bundler.io: open supply chain attack
  • →Jacob Butler arrested for running Kimwolf botnet
  • →KimWolf botnet admin charged: 2M devices, US-Canada joint op

Interested in Bug Bounty?

Get one technical story a day on bug bounty — curated, summarised, actionable.

Subscribe
BBLabs NewsBBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad, vulnerabilidades, IA y bug bounty. Para gente que se toma en serio no perder el tiempo.

Conecta

Comunidad

  • Discord BBLabsÚnete a la comunidad
  • Discord Bug Bounty EspañaComunidad BB Es

Síguenos

  • YouTube · 0xGorkaCyber, hacking y bug bounty
  • Instagram · @bblabs.esLo último del proyecto

Contacto

team@bblabs.esEscríbenos para lo que sea

Para feedback, partnerships o reportar un bug en la web. Respondemos rápido.

Acerca de·Temas·Glosario·RSS·Privacidad·Términos
© 2026 BBLabs News·Por Gorka El Bochi
Hecho en España