Cross-site scripting (XSS) is a cybersecurity term that refers to the injection of malicious code into a trusted website for execution on client devices.
An attacker can achieve this by sending malicious scripting data to an application server that is stored and rendered to other users, for example, profile information on a social media web page. An attacker might use this method to instruct the server to expose sensitive data to the attacker.
If the webserver has no protection in place, such as escaping user input data, the server could permanently store and execute malicious code.
A web application firewall (WAF) can help to mitigate this risk by inspecting client request content and ensuring it does not contain code that can compromise application server security. A WAF can also be configured to allow only specific request types with expected data parameters and to deny all others until they are marked as safe via some dynamic mechanism or manually by a systems administrator.