CROSS-SITE SCRIPTING / XSS
defined.

What is Cross-Site Scripting (XSS)?

Three flavours: reflected (payload echoed back in a response), stored (payload saved server-side and served to other users), and DOM-based (payload triggered entirely client-side by JavaScript writing to innerHTML).

Defence: output encoding by context (HTML body vs. attribute vs. JS), CSP with strict-dynamic, and Trusted Types in modern browsers.

Related terms.

• Cross-Site Request Forgery (CSRF)
• Content Security Policy (CSP)
• Subresource Integrity (SRI)
• Clickjacking

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.