Cross-Site Scripting (XSS) is a common vulnerability in web applications that allows an attacker to execute client-side JavaScript in another user's browser, potentially leading to session hijacking, sensitive action bypass, and other malicious activities. XSS can range from minor to critical severity and is challenging to prevent due to its dynamic nature. Gaining access to an XSS vulnerability enables attackers to steal session tokens, bypass Same Origin Policy (SOP), exfiltrate information, and perform sensitive actions as if logged in by the victim user. The root cause of XSS vulnerabilities lies in the improper escape of user input when reflected back to the application, allowing client-side JavaScript to be injected and executed. XSS can be categorized into different types, including Reflected XSS, Persistent/Stored XSS, DOM XSS, and Self-XSS. Context is crucial in understanding how user input may be injected into various contexts, such as HTML tags, attributes, comments, event handlers, URLs, and scripts. To discover XSS vulnerabilities, manual testing, XSS polyglots, automated scanners, and basic filter bypasses are used. Once an XSS vulnerability is identified, it can be escalated using methods like including longer payloads, bypassing the SOP, and taking over user accounts. Other cases of XSS include length-limited payloads, link injection, referer header XSS, and RCE via XSS in Electron apps. Understanding these concepts and techniques is essential for identifying and mitigating XSS vulnerabilities in web applications.