From 500d502b2647891accfe27c1cc9c76b0a9f7153b Mon Sep 17 00:00:00 2001
From: henopied <henopied@users.noreply.github.com>
Date: Sat, 21 Sep 2024 21:37:47 -0500
Subject: [PATCH] xss

---
 fallctf-2024/src/web/web.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/fallctf-2024/src/web/web.md b/fallctf-2024/src/web/web.md
index fef5248..d476e42 100644
--- a/fallctf-2024/src/web/web.md
+++ b/fallctf-2024/src/web/web.md
@@ -125,5 +125,22 @@ If you want more resources on learning the linux command line...
 
 + Review our [Setup/Terminal Meeting Slides](https://sigpwny.com/meetings/fa2023/2023-09-03/)
 
-## Cross Site Scripting (XSS)
+## Cross-Site Scripting (XSS)
 
+Cross-Site Scripting is a vulnerability that allows an attacker to execute malicious scripts on a website. This can be used to steal cookies, redirect users to malicious websites, or deface the website.
+
+I like to think of XSS as as another type of injection attack, but instead of injecting into a database or command line, you're injecting into the website's HTML.
+
+For example, let's say you have a website that displays a user's name on the page. If the website includes the input directly into the HTML, you can put your own HTML code in the input and have it execute on the page.
+
+```html
+<p>Welcome, <span id="username">USER INPUT</span></p>
+```
+
+If I had set `USER INPUT` to `<script>alert("Hello!")</script>`, then the website would display a popup saying "Hello!".
+
+```html
+<p>Welcome, <span id="username"><script>alert("Hello!")</script></span></p>
+```
+
+More details on XSS: https://portswigger.net/web-security/cross-site-scripting