How a Cross-Site Scripting Vulnerability Led to Account Takeover

This report describes Cross-Site Scripting (XSS) — its reflected, stored, and DOM variants — common causes, impacts (including session theft and account takeover), and mitigations such as input validation, output encoding, and Content Security Policy. It includes a HackerOne-disclosed reflected XSS in yelp.com that could enable persistent XSS and account takeover via manipulated cookie values, notes the $6,000 bounty awarded, and recommends bug bounty/PTaaS and secure coding practices to find and fix XSS.