Cross-site scripting (also known as XSS) is a type of attack in which a malicious script is injected into a website or web application, and initiates its payload when a trusting browser visits the site and allows the script to run.
XSS works due a browser trusting the website they are accessing. This trust allows the script to access important data such as cookies or session tokens, which may contain sensitive information, depending on what other browser pages are open at the time. If the attacking script is able to gain access to authentication data to another website, it could be used to perform a man-in-the-middle attack.
Last updated: 18 October 2017