Quiz Entry - updated: 2026.07.05
What is Cross-Site Scripting (XSS) and why is it called a "confused deputy" attack?
XSS injects attacker JavaScript into a trusted page; it's a "confused deputy" because the victim's browser runs that script with the victim's own privileges, trusting it because it came from the legitimate site.
Cross-Site Scripting (XSS):
- Exploits vulnerabilities to inject malicious JavaScript into web pages
- The script runs on the user's browser, not the server
- Typically steals cookies, session tokens, or performs actions as the user
Confused deputy attack:
- The browser is the "deputy" trusted by both user and server
- Attacker tricks the browser into executing malicious code
- Code runs with the victim user's privileges
- Browser doesn't know the script is malicious
Go deeper:
PortSwigger — Cross-site scripting — definition, impact, the three XSS types, with labs.