XSS is the method of injecting scripts into a web application. The injected script can be stored on the original web page and run or processed by each browser that visits the web page. This process occurs as if the injected script was really part of the original code.
XSS is different from many other kinds of attacks as XSS concentrates on attacking the client, not the server. Although the malicious script itself is saved in the web application (server), the real goal is to get a user (browser) to execute the script and perform an action.
As a security measure, web apps only have access to the data that they write and store on a client. That means any data stored on your computer from one website cannot be accessed by another website. XSS can be used to bypass this constraint. When an attacker is able to inject a script into a trusted website, the user’s browser will think all the content including the malicious script is good and therefore should be trusted.
Because the script is working on behalf of the trusted website, the malicious script will have the ability to access
possibly sensitive data saved on the client including session tokens and cookies.