The OWASP top 10 describes the top 10 vulnerabilities as they were found in production environments for a particular year. While this is a good approach, it fails to take the impact of an issue into account. For example, being able to register an account for a webshop is expected but being able to register for a private website is something that can have quite a lot of impact.
The OWASP top 10 also looks at all the websites but it has been talked about so often that you can find a host of references online though they will be more general than one would expect. For example the topic "Injections" covers a range of different vulnerabilities but it's better to talk about specific vulnerabilities in some cases, especially when it comes to bug bounties.
Cross site scripting is an often misunderstood vulnerability type. People often confuse it with HTML injection which can lead to XSS but it is by far the only way. Besides the context in which an XSS can occur, this vulnerability can arise at the source and DOM level and it can either be reflected or stored.
Contrary to popular belief, XSS does not have to happen in javascript either but instead can occur on any scripting language.
Cross site scripting can be abused in many different ways, some might be more impactful than others but here are some common ways attackers abuse this issue type:
This issue type revolves all around sanitising user input but at both the input where the user can enter the data but also where it is reflected. This is important to make a distinction between as we might forget to sanitise one of the users inputs but as long as the reflection do not contain any possible ways to perform an XSS attack, the attackers should still not be able to pull off an XSS attack.