All XSS attacks take place when an attacker injects malicious script as a part of user-provided input. They can also carry out an attack by modifying a request. If the Web application is vulnerable to XSS attacks, user-supplied input executes as code. As a result of the example below, the script displays a message box with XSS text.
There are many ways to trigger an XSS attack. To name a few examples, the execution triggers automatically when the page loads or when a user hovers over specific elements of the page (e.g., hyperlinks).
Potential consequences of XSS attacks include:
- Capturing the key strokes of a user.
- Re-directing a victim to a malicious website.
- Running Web browser-based exploits (e.g., crashing the browser).
- Obtaining cookie information of a user who is logged into a website. Thus, compromising the victim’s account.
In some cases, the XSS attack leads to a complete compromise of the victim’s account. Attackers can trick users into entering credentials on a fake form, providing them to the attacker.