Cross-Site Scripting (XSS)

A reflected attack that injects malicious client-side executable code into web application parameters to be returned by the application output and ultimately executed by the browser. Because it appears that the script is from a trusted source, the end-user’s browser accepts it and runs the script, permitting the attacker to take actions on the application’s behalf, such as accessing cookies and session tokens as well as other sensitive data. This attack can also be used to rewrite the webpage in order to trick the user, embarrass the company or cause other issues. XSS attacks are usually ephemeral, but, if the injected code is populated into a database for later use by the application, it is referred to as Persistent XSS.