This chapter deals with cross-site scripting (XSS), which is an attack vector that can be used to steal sensitive information, hijack user sessions, and compromise the browser and the underplaying system integrity. XSS vulnerabilities have existed since the early days of the Web. In 1999, inspired by the work of Georgi Guninski, David Ross published the first paper on XSS flaws entitled “Script Injection.” In 2005, the first XSS worm known as Samy attacked the popular social networking Web site MySpace. Today, they represent the biggest threat to e-commerce, a billions of dollars a day industry. This chapter further discusses AJAX that is a technology that powers interactive Web applications with improved user experience, greater usability, and increased processing speed. The core component of AJAX is the XMLHttpRequest object, which provides greater control on the request and the response initiated by the browser. DOM is a W3C standard that defines how to represent XML tree structures. It is important to understand the basics of XML and AJAX, as they are becoming an integral part of the Internet. It is also important to understand the impact these technologies will have on traditional Web application security testing.