XSS Kya Hai? Hindi Guide (2026)

XSS kya hai? Cross Site Scripting kaise kaam karta hai? Is Hindi guide me types, examples, detection aur prevention simple language me samjhen.

Introduction

Web security ki duniya me agar SQL Injection ke baad kisi attack ka naam sabse zyada liya jata hai, to wo hai XSS (Cross Site Scripting).

Aaj lagbhag har website user input leti hai — comment box, search field, login form, feedback form, chat box, contact form, profile update section, etc. Agar in inputs ko properly validate aur sanitize na kiya jaye, to attacker malicious script inject kar sakta hai.

XSS attack server ko directly target nahi karta, balki user ke browser ko target karta hai. Isliye iska impact bahut dangerous ho sakta hai — jaise:

• Session hijacking
• Cookie stealing
• Fake login page injection
• Phishing redirection
• Account takeover
• Malware injection

Is detailed beginner-friendly guide me hum simple Hindi me samjhenge:

• XSS kya hota hai
• Ye kaise kaam karta hai
• XSS ke types
• Real world examples
• Kaise detect kare
• Kaise prevent kare
• SQL Injection se difference
• Practice kaise kare
• Tools ka use
• Secure coding approach

Chaliye step-by-step samajhte hain.

Agar aapne SQL Injection nahi padha hai to pehle SQL Injection Kya Hai guide zaroor padhein.

XSS Kya Hai?

XSS ka full form hai Cross Site Scripting.

Simple language me:
XSS ek web attack hai jisme attacker malicious JavaScript code ko website me inject karta hai taaki wo user ke browser me execute ho sake.

Ye attack website ke users ko target karta hai, na ki directly database ya server ko.

XSS Naam Aisa Kyu Hai?

Originally is attack ka naam “Cross-Site Scripting” isliye pada kyunki attacker ek trusted website ke through malicious script ko dusri site ke context me run kar sakta tha.

Iska short form “CSS” hota, lekin CSS already Cascading Style Sheets ke liye use hota tha, isliye isko “XSS” bola gaya.

XSS Ka Basic Concept

Ek simple example se samjhte hain.

Maan lo ek website me comment section hai.

User comment karta hai:

Nice article!

Website is comment ko directly page par show kar deti hai bina sanitize kiye.

Ab attacker comment karta hai:

<script>alert('Hacked');</script>

Agar website input filter nahi karti, to jab koi user page open karega, to browser me alert box show hoga.

Ye hi XSS ka basic concept hai.

XSS Kaise Kaam Karta Hai? (Step-by-Step)

1. Website user input leti hai
2. Input ko properly sanitize nahi karti
3. Attacker malicious JavaScript inject karta hai
4. Website us input ko page par display kar deti hai
5. Victim ka browser injected script execute karta hai
6. Attacker user ka sensitive data access kar sakta hai

Important baat:
Script server par nahi, victim ke browser me run hoti hai.

XSS Kyu Dangerous Hai?

XSS se attacker:

• Cookies steal kar sakta hai
• Session hijack kar sakta hai
• Fake login form inject kar sakta hai
• User ko phishing website par redirect kar sakta hai
• Keylogging kar sakta hai
• Sensitive data capture kar sakta hai

Agar session cookie mil jaye, to attacker bina password ke user account me login ho sakta hai.

XSS Attack Ka Real Impact

Agar website me Stored XSS vulnerability ho:

• Har user jo page visit karega attack ka shikar ho sakta hai
• Admin panel bhi compromise ho sakta hai
• Website blacklist ho sakti hai
• Company ki reputation damage ho sakti hai

Isliye XSS ko lightly nahi lena chahiye.

XSS Ke Types

XSS ke mainly 3 types hote hain:

1. Stored XSS (Persistent XSS)
2. Reflected XSS
3. DOM-Based XSS

Ab ek-ek karke detail me samjhte hain.

1. Stored XSS (Persistent XSS)

Is type me malicious script permanently server par store ho jati hai.

Example:

• Comment section
• Forum post
• User profile bio
• Chat message

Scenario:

1. Attacker comment me malicious script inject karta hai
2. Script database me store ho jati hai
3. Har user jo page open karega, uska browser script execute karega

Ye sabse dangerous type mana jata hai kyunki ye automatically spread hota hai.

2. Reflected XSS

Is type me script server par store nahi hoti.

Ye URL parameter ya form input ke through reflect hoti hai.

Example:

http://example.com/search?q=<script>alert(1)</script>

Agar website input ko directly display kar deti hai bina encoding ke, to script execute ho sakti hai.

Reflected XSS ka use phishing attacks me zyada hota hai.

3. DOM-Based XSS

Ye client-side par hota hai.

Isme vulnerability server side nahi, balki JavaScript code me hoti hai.

Example:

document.write("Welcome " + location.hash);

Agar URL me malicious script inject ho jaye, to DOM manipulate ho sakta hai.

Ye thoda advanced concept hai, lekin samajhna zaroori hai.

Real World Example

Maan lo ek website user ka naam URL me show karti hai:

example.com/welcome?name=Shikhar

Website code:

document.write("Welcome " + name);

Agar attacker link bheje:

example.com/welcome?name=<script>alert('Hacked')</script>

To script victim ke browser me run ho sakti hai.

XSS Attack Ka Impact

• Session hijacking
• Account takeover
• Sensitive data leak
• Website reputation damage
• Malware distribution
• Admin account compromise

Ye attack silent hota hai aur user ko pata bhi nahi chalta.

XSS Aur SQL Injection Me Difference

Dono alag attacks hain aur dono samajhna zaroori hai.

XSS Kaise Detect Kare?

Beginners ke liye basic detection steps:

1. Input field me <script>alert(1)</script> test karein (legal lab me)
2. Page response observe karein
3. HTML source inspect karein
4. Check karein ki special characters encode ho rahe hain ya nahi

Practical testing ke liye aap hamara Burp Suite Kya Hai article bhi dekh sakte hain.

Tools for XSS Testing

Authorized environment me:

• Burp Suite
• OWASP ZAP
• Browser DevTools
• Manual testing

Burp Suite se:

• Request intercept karo
• Parameter modify karo
• Payload inject karo
• Response analyze karo

XSS Se Kaise Bache? (Prevention)

Ab sabse important part — prevention.

1. Input Validation

• Special characters filter karein
• Length limit karein
• Whitelist approach use karein

2. Output Encoding

Data display karte waqt encode karein:

< ko &lt; me convert karein
> ko &gt; me convert karein

Isse browser script execute nahi karega.

3. Content Security Policy (CSP)

CSP browser ko restrict karta hai ki kaunsi scripts allowed hain.

Example header:

Content-Security-Policy: default-src 'self'

4. HTTPOnly Cookies

Session cookies ko JavaScript access se block karein.

5. Secure Framework Use Kare

Modern frameworks jaise React, Angular auto-escape karte hain.

Secure Coding Example

❌ Vulnerable code:

echo $_GET['name'];

✅ Secure code:

echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');

Difference:

Vulnerable code direct output karta hai.
Secure code special characters encode karta hai.

Practical Lab Practice Kaise Kare?

Kabhi bhi random website par test mat karein.

Safe options:

• DVWA (Damn Vulnerable Web App)
• OWASP Juice Shop
• Localhost setup
• Virtual machine lab

Ethical hacking me permission sabse important rule hai.

Common Mistakes Beginners Karte Hain

• Bina permission testing karna
• Sirf alert box ko success samajhna
• Prevention techniques ignore karna
• SQLi aur XSS confuse karna

XSS Payload Examples (Educational Purpose)

Basic test:

<script>alert(1)</script>

Image event based:

<img src=x onerror=alert(1)>

Sirf legal lab practice ke liye.

Advanced XSS Concepts (Brief Overview)

• Cookie stealing via document.cookie
• DOM manipulation
• Event handler injection
• Stored XSS worm

Advanced level par bug bounty hunters in techniques ka use karte hain.

Real Security Mindset

Ethical hacker ka goal:

• Vulnerability identify karna
• Report karna
• Fix suggest karna

Damage karna nahi.

Beginners Ke Liye Learning Roadmap

1. HTML basics
2. JavaScript basics
3. HTTP request-response samjho
4. DOM manipulation samjho
5. Burp Suite use karo
6. XSS payload testing samjho
7. Prevention techniques seekho

FAQs

Q1: Kya XSS illegal hai?

Bina permission kisi website par test karna illegal ho sakta hai.

Q2: Sabse dangerous XSS kaunsa hai?

Stored XSS sabse dangerous mana jata hai.

Q3: Kya modern websites safe hain?

Agar secure coding aur CSP implement ho, to risk kam hota hai.

Q4: Kya XSS se password chori ho sakta hai?

Indirectly haan — agar session cookie steal ho jaye to account hijack ho sakta hai.

Conclusion

XSS web security ka ek fundamental aur dangerous attack hai jo user ke browser ko target karta hai. Agar input validation aur output encoding sahi na ho, to attacker malicious scripts inject kar sakta hai.

Beginners ko chahiye ki:

• Concept strong karein
• Types samjhein
• Prevention techniques seekhein
• Safe lab me practice karein
• Hamesha ethical boundaries follow karein

Security ka golden rule:

• Validate input
• Encode output
• Never trust user input

What’s Next?

Next Guide:

• OWASP Top 10 Explained in Hindi
  Ya
• DOM-Based XSS Advanced Guide

---

Important Note

Ye content sirf educational purpose aur cyber security awareness ke liye share kiya gaya hai. Bina permission kisi website ya system par testing karna illegal ho sakta hai.