XSS injects malicious JavaScript into web pages — stealing session cookies, redirecting users, capturing keystrokes, or defacing pages. Types: Reflected, Stored (persistent), DOM-based.
XSS bypasses Same-Origin Policy by executing in the victim's browser in the context of the legitimate site. Prevention: output encoding (HTML encode all user input before displaying), Content Security Policy (CSP), HttpOnly cookie flag (prevents JS from reading cookies). OWASP Top 10 consistently listed.