Cross-Site Scripting

XSS

A class of injection vulnerabilities where untrusted input is executed as active content in a victim’s browser, enabling session theft, defacement, or redirection.

#appsec#web#cwe#capec

Last updated: 2025-08-22T00:00:00.000Z

Differences across sources

Parallel sources use distinct terminology or emphasize different aspects. Review each citation to understand scope and normative intent.

Evidence

CWE CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page.

cwe.mitre.org

CAPEC CAPEC-63: Cross-Site Scripting

An adversary exploits improper input validation to inject malicious script that the victim’s browser executes in the context of a trusted site.

capec.mitre.org

OTHER OWASP Cross Site Scripting (XSS)

XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

owasp.org

Mappings

CWE-79 CAPEC-63 CISSP Domain 8

Examples

Reflected XSS

An application reflects unsanitized query parameters into HTML without proper encoding, executing attacker-controlled script on the victim’s browser.

Stored XSS

Malicious script stored in a database or comment is served to users and executed in their browsers.

More context

Defense-in-depth includes output encoding, input validation, Content Security Policy (CSP), and avoiding dangerous sinks (e.g., innerHTML) or contexts (HTML/JS/URL/attributes).

Often confused with

csrf

Differences across sources

Evidence

Mappings

Examples

Reflected XSS

Stored XSS

More context

Often confused with

See also