Cross-Site Scripting (XSS), is exploited when the attacker can successfully execute any type of script (for example, JavaScript) on the victim's browser. These types of flaws exist because the developer did not validate the request or correctly encoded the response of the application. JavaScript is not the only script language used for XSS but it is the most common (in fact it's my favorite); attackers sometimes use scripting languages such as VBScript, ActiveX, Flash, and many more.

XSS is very popular and I encounter it every day while testing web applications. Every time I see a message displayed on the page that reflects a user input or behavior, then most probably it is vulnerable to XSS. But don't worry, with experience and practice, things will become more obvious to you as well. There are three types of XSS attacks: Stored, Reflected, and DOM Injection. Let's start with the easiest to understand, the reflected XSS.