Reflected Cross-site Scripting (XSS) is one of the most widely exploited web application flaws. To exploit this vulnerability, the application uses one or more parameters as an input, which is reflected back to the web page (source code) generated by the application. This may not sound dangerous at the moment but this flaw can be exploited to do one of the following things or more:
– Bypass CSRF protections
– Execute client-side exploits
– Track victims.
– Temporary defacements and other problems.
The previous code, if executed on a web browser, it will transfer all the cookies that fall under the origin of the web page to evil.com as soon as it gets loaded. However, there is an exception; cookies marked with HttpOnly will not be transferred as this acts as a protective measure to stop marked cookies from being reached through document.cookie.