Cross-site scripting used to be simple. You would put a script tag in an input field and see if the browser executed it. Those days are long gone. Modern XSS attacks are sophisticated, multi-step operations that bypass WAFs, CSP headers, and framework-level protections.
In a recent engagement, our agents discovered a stored XSS chain that no scanner had flagged. The attack worked like this. A user profile field accepted markdown input. The markdown parser correctly sanitized standard HTML tags. But it did not account for a specific Unicode normalization behavior that allowed an attacker to smuggle in an event handler through a crafted character sequence.
The payload only triggered when another user viewed the profile in a specific browser rendering context. A traditional scanner would never find this because it requires understanding how the markdown parser, the Unicode normalizer, and the browser rendering engine interact together.
Our agent found it by doing what a curious researcher would do. It noticed that certain Unicode characters were being transformed during rendering. It started testing variations. It mapped out exactly which characters survived the sanitization pipeline and which ones got transformed into something useful. Then it built a working payload from those pieces.
This is a pattern we see repeatedly. The individual components are secure. The vulnerability exists in the interaction between components. Finding these requires creative thinking, not just pattern matching.
Modern XSS prevention requires defense in depth. Content Security Policy headers are essential but not sufficient on their own. Output encoding must be context-aware. Input validation should normalize Unicode before sanitizing. And regular testing with tools that actually think about how components interact is the only way to catch what static rules will miss.
The takeaway is straightforward. If your security testing only checks for script tags in input fields, you are testing for vulnerabilities from 2010. The attacks have moved on. Your testing needs to move on too.