Cross Site Scripting related attack usually occurs when web applications allow[Vulnerability] users to append custom code [JavaScript Code] into the URL path or to enter onto a web page through form/input fields thus eventually malicious JavaScript code would be executed on the victim’s browser making the vulnerability exploited while the web pages get accessed / seen by other users .

In another way, an attacker could send an email to a victim that appears to be from a trusted legitimate source like BANK or TELECOME network provider or INSURANCE company with a link to that bank’s / company website.

This link would have some malicious JavaScript code appended onto the end of the url. If the bank’s / company website is not properly protected against cross-site scripting, then that malicious code would be executed in the victim’s web browser and can be used to steal session cookies, user credentials, or deliver malware when victim clicks on the link.

Generally Cross Site Scripting is categorized majorly as two types.

1. Reflected XSS [This happens when a legitimate user clicks on a link or image with appended malicious code sent by attacker through a mail or through a social media app chat texts etc..]
2. Stored XSS [This happens when attacker has already entered/ stored the malicious java script code as part of valid data in the database through normal input form fields of website and those scripts get executed in the browser when victims access/ see those data at certain pages of the web application]