What Is XSS(Cross Site Scripting)? And Why You Should Care (Even If You Don't Code) | Web Security / Penetration testing | Web Development| MejbanKadir

June 07, 2025

What Is XSS(Cross Site Scripting)? And Why You Should Care (Even If You Don't Code) | Web Security / Penetration testing | Web Development| MejbanKadir | SMH Tech

I wanted to share something cool and kind of scary: XSS, or Cross-Site Scripting. Now wait, don’t run! 😅 I promise I’ll keep this simple and interesting, even if you’ve never touched a line of code in your life. Let’s break it down together.

🧠 Imagine This…:

We are using a website where you can post a comment. Like a blog, or a review page, or a chat box. You click on a post and saw this:

What Happend here is someone else, instead of writing a normal comment, typed something sneaky in the comment like:

<script>alert("You Can't Read This Blog I hacked it");</script>

The website isn’t built securely, it actually run that script, causing a pop-up to show on your screen. 😨

But it’s not just about annoying pop-ups. That little script could do much worse: steal your login session, cookies, or even pretend to be you online.

That, my friend, is XSS — a type of hacking where someone injects code into a website, and the website accidentally trusts and runs it.

Attackers often hide their code to avoid detection by firewalls or filters:

<script>
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,115,58,47,47,101,118,105,108,46,99,111,109,34))
</script>
//This just converts characters into a script that changes the page’s location (or can load anything else).

XSS -> Cross-Site Scripting. (Yes, the letters don’t match perfectly — blame history.)

It happens when:

A website lets users input text (like comments,Search or usernames etc).
But it doesn’t check or clean that input.
So someone can sneak in malicious code like JavaScript.
And the browser of anyone visiting that page will run the code — thinking it came from the trusted website.

One day my friend sent me this link :

example.com/profile?name=<script>stealCookies()</script>

I immediately found out it is a malicious link by looking at the js code at the end point.

So How Hackers Trick Us?:

They use short links so we cannot see the end point or even the url. Some of the best sites are(That I personally use) :

~URL Shortener: Shorten link & Best Free Link Shortener | Shorter.me

~https://bitly.com/

~shorturl.at

So now it looks like https://bit.ly/3abcXYZ -> This redirects to ‘example.com/profile?name=<script>stealCookies()</script>’

So How To Be Safe From Short Url?

~Use something like curl:

we can see it is redirecting to the main url (Sorry, I haven’t managed to purchase a domain yet, but I definitely will.)

XSS is one of the most common web security issues — and it’s been around for decades. It’s a big reason why websites have to be built carefully and tested constantly.

Even if you’re not a coder, it’s good to stay alert

Don’t click weird links.
Don’t paste code into browser consoles from strangers.
Trust your instincts — if something feels shady, it probably is.

If you want to learn more I recommend try labs of Web Security Academy(Port Swigger) > https://portswigger.net/web-security/cross-site-scripting

Thanks for reading! Hopefully, this helped you understand the world of XSS even if you’re not a coder. Cybersecurity isn’t just for hackers or developers — it affects everyone who uses the internet.

Stay curious, stay sharp, and most importantly… stay safe. 🔒

— MejbanKadir & the SMH Tech Team
Helping you learn, one byte at a time.

Search This Blog

SMH Tech Insights