Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious Javascript in another user's browser.
Unlike other attacks such as SQL injection, XSS does not target the application, rather it targets the end user. However, the attacker does so by explioting a vulnerability in a website that the user visits.
The only way for the attacker to run malicious Javascript is to inject it into one of the webpages that the victim downloads from the website.
This is often done when the website includes user input in its pages. This allows the attacker to insert a string that will be treated as code by the victim's browser.
For example
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="X-UA-Compatible" content="ie=edge" />
<title>Document</title>
</head>
<body id="container">
<h1 id="title">XSS test</h1>
<script>
const lastComment = `<script> alert("Vulnerable to XSS!") \<\/script>`;
document.write(lastComment);
</script>
</body>
</html>Because the user's input is included directly in the DOM, the attacker could submit a comment such as <script>alert("Vulnerable to XSS!")</script> which will be executed as javascript.
The attacker is able to perform the following attacks:
Javascript can access cookies using document.cookie. Because the malicious Javascript will be executed in the context of the target website, the attacker will have access to the user's cookies on that website. They can then make a HTTP request to send the user's cookies to their server.
The attacker can register a listener for keyboard events, effectively making a keylogger. With this attack, they can get the user's email, usernames, passwords, credit card information and other sensitive information.
The attacker can use DOM manipulation to modify or add their own form that POSTs to their own server.