Cross-Site Scripting

An attacker injects malicious JS into your website. (run his JS on the website)

1. Your website can post comments.

2. Someone post:

   <script>
     alert("I control this page");
   </script>
   

3. Your website didnt block it.

4. This JS runs in your user’s browser under your website’s identity.

If attacker runs JS on your site, they can:

• Read CSRF token
• Send requests
• Click buttons
• Change UI
• Steal non-HttpOnly data