An organization recently suffered from a web-application attack that resulted in stolen user session cookie...

Cross-Site Scripting (XSS) is a type of web-application attack that results in stolen user session cookie information, when a user’s browser executes a script upon visiting a compromised website. XSS occurs when an attacker injects malicious code, usually in the form of a script, into a web page or application that is viewed by other users. The script can then access or manipulate the user’s browser, session, or data, such as cookies, credentials, or personal information. XSS can be classified into three types: reflected, stored, and DOM-based. Reflected XSS occurs when the script is embedded in a URL or a form input that is reflected back to the user by the web server. Stored XSS occurs when the script is stored in a database or a file on the web server, and is displayed to the user when they visit a specific page or application. DOM-based XSS occurs when the script is executed by the user’s browser due to a modification of the Document Object Model (DOM) of the web page or application34. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, page 899; 100 CISSP Questions, Answers and Explanations, Question 19.