Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into otherwise trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user. There are three main types: Stored XSS (persisted in the database), Reflected XSS (included in the HTTP response), and DOM-based XSS (executed through client-side JavaScript).

XSS can be used to steal session cookies, redirect users to malicious sites, deface web pages, or perform actions on behalf of authenticated users. Modern frameworks provide some built-in protection, but edge cases in template rendering and client-side routing continue to create XSS opportunities.

How APVISO tests for this: APVISO tests for all three XSS variants using context-aware payload generation. The scanner agent understands HTML contexts (attribute values, script blocks, event handlers) and generates payloads that bypass common WAF rules and framework-level sanitization.