XSS can occur when you display text which a user entered. ASP .NET Core automatically encodes text when you use @Model, but displays the code as it if if you use @Html.Raw. The following code creates a form where the user can enter his user name. The input is displayed once in a safe way and once in an unsafe way.Is your web application vulnerable to cross-site scripting (XSS)?
If that sounds more like activities on your web application that users might participate in, then read on. In 2014, Cross-site Scripting (XSS) has been identified as the most frequently found vulnerability amongst vulnerabilities tested for in web applications.What is XSS and how does it work?
XSS vulnerabilities generally occur when an application takes user input and outputs it to a page without validating, encoding or escaping it. At a basic level XSS works by tricking your application into inserting a <script> tag into your rendered page, or by inserting an On* event into an element.What is the OWASP classification of XSS?
OWASP recommends the XSS categorization as described in the OWASP Article: Types of Cross-Site Scripting, which covers all these XSS terms, organizing them into a matrix of Stored vs. Reflected XSS and Server vs. Client XSS, where DOM Based XSS is a subset of Client XSS.