Cross Site Scripting vulnerabilities occur when an application includes untrusted data in a web page without proper validation and escaping (thus failing to neutralize those special characters that separate control flow from data).
In modern applications, such as Single Page Applications developed with React, AngularJS, Vue.js, or those that make heavy use of JavaScript and jQuery, the XSS issue arises when an existing web page is updated with user-supplied data using a browser API that creates HTML or JavaScript.
XSS allows an attacker to execute scripts in the victim's browser, potentially taking control of the user session, defacing the website, or redirecting users to a malicious site.
| OWASP Top 10 Application Security Risks - 2017 | Reference |
|---|---|
| A7:2017-Cross-Site Scripting (XSS) | OWASP |
XSS falls under the realm of Injection vulnerabilities as it lacks the separation between control flow (HTML tags and the DOM structure of the web page) and data sent by the user or retrieved from the database.
Once control flow and data are flattened into a single textual stream, the browser will have no way to reconstruct the developer's original intentions, and will blindly execute the malicious code injected by the attacker.Francesco Ongaro
