Why XSS still matters: MSRC’s perspective on a 25-year-old threat msrc.microsoft.com/blog/2025…

Cross-Site Scripting (XSS) has been a known vulnerability class for two decades, yet it continues to surface in modern applications, including those built with the latest frameworks and cloud-native architectures. At Microsoft, we still receive a steady stream of XSS reports across our services, from legacy portals to newly deployed single-page apps. Despite advancements in browser security, content security policies (CSP), and secure-by-default libraries, XSS remains a persistent threat vector with real-world consequences.

That’s why we’re sharing this series: to explore why XSS still matters, how Microsoft approaches detection and mitigation, and what we’ve learned from real-world incidents. Whether you’re a security engineer reviewing bug bounty submissions or a developer building secure-by-default components, understanding the evolving nature of XSS is critical to defending modern web ecosystems.