Defination

When an attacker inject malicious JavaScript code into the different part of the application.

Types of XSS:

Stored XSS : when an attacker inject JavaScript code into the application and it get stored into the database and whenver client interacting with database all the time JavaScript get executed.
Reflected XSS : When an attacker inject the malicious JS into the application specifically into the URL Parameter of the application . Whenever some one clicked on that part automatically JS get executed.
DOM XSS : When an application update the DOM with untrusted data. Untrusted data is controlled by an attacker so malicious JS get executed.
Blind XSS : When an attacker inject JS into the application but it is not get fired into the application directly but in the backend application it get executed (Admin page , customer-support page).

If the application is using Form then check every parameter like (username , password etc ) field into the application wherever user need to provide there input .
Attacker can be inject the malicious JS into the URL Parameter .
Malicious JS can be executed into the HTTP Header.
If application has a functionality to upload a file then attacker inject JS into that field.
If the application is using Third Party Integration.
If the application is sending a POST request and body consist of JSON/XML then attacker can change the Content-Type and attacker can inject the JS.
If the application has some hidden parameters and in that if it using Callback function there we can inject the malicious JS.
If the application is using MarkDown( MarkDown is used to add the special character into the application if we want into into website). Attacker can inject and exeute JS.
Inside the application having tag like “Title“,“Style”,”Textarea” tag we can inject the javascript into the application.

Firewall block the “script“ tag insted of that used “<ScRipt>alert()<ScRipt>“ in case insensitive.
Script tag used Second Occurence “<u> test123<script>alert()</script><script>alert()</script)“.
If Firewall blocks the script tag used Event Handler like ( onclick , onload , onerror etc).
If any Tag is used Attribute Paramter there used to add JS payload (<u> test123<iframe src=javascript:alert()>).
To check the reflection into the website don’t close the Tag.
Sending JS payload all the parameter put it into the “Encoded“ form like (Octal , Unicode ,Base64, HTML encoding) so that easily bypass.
Remove the closing tag (<script>alert()//).
Payload <aAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa href= javascript:alert()>XSS</a>.
Using Backtick insted of parenethess (<script>alert XSS </script>).
Prepending an additional “<“ ( «script>alert()</script>).

XSS + CSRF : If the attacker can inject the JS into the application then it can easy for them to grab the CSRF token with the help of that token attacker can do the any changes into that account ( Account Takeover)
XSS + privilege escalation : Attacker can be used XSS to get the session token of the user to escalate privilege escalation.

Trust issue : if application is compromised to XSS it might be flagged as unsafe . This can lead to loss of reputation , user trust .
Phishing Attack : If application is compromised to XSS . user is tricked into providing sensitive information like usernames, password , payment details.
Malaware Distribution : Scripts can be used to automatically download or excute a malware into users device this can lead to attacker get access to personal device , cameras etc.

Always Check if user providing correct input or not . if not restrict.
To mitigate XSS use CSP (Content-Security-Policy) value “strict and self“
use Header “X-XSS-Protection“ to mitigate XSS vulnerability.
Protect the cookies from being accessed by JavaScript by setting “HTTP-Only“ flag and additional use flag “Secure“ cookies transfer over “HTTPS“
Use JavaScript library to help to mitigate XSS (DOMpurify , XSS, Jsoup)