LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is Cross-Site Scripting (XSS) and why is it called a "confused deputy" attack?

XSS injects attacker JavaScript into a trusted page; it's a "confused deputy" because the victim's browser runs that script with the victim's own privileges, trusting it because it came from the legitimate site.

Cross-Site Scripting (XSS):

  • Exploits vulnerabilities to inject malicious JavaScript into web pages
  • The script runs on the user's browser, not the server
  • Typically steals cookies, session tokens, or performs actions as the user

Confused deputy attack:

  • The browser is the "deputy" trusted by both user and server
  • Attacker tricks the browser into executing malicious code
  • Code runs with the victim user's privileges
  • Browser doesn't know the script is malicious

Go deeper:

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jul 05, 2026