The ability to send malicious code, generally in the form of a client side script,...

Cross-Site Scripting (XSS) is a type of vulnerability that allows an attacker to inject malicious code, usually in the form of a client-side script, into a web application or a web page that is viewed by another user. The malicious code can then perform various actions on behalf of the victim user, such as stealing cookies, session tokens, personal information, or redirecting to malicious sites. XSS can be classified into three types: reflected, stored, and DOM-based. Reflected XSS occurs when the malicious code is embedded in a link or a parameter that is sent to the web server and then reflected back to the user’s browser. Stored XSS occurs when the malicious code is stored in a database or a file on the web server and then displayed to the user’s browser. DOM-based XSS occurs when the malicious code is executed by the user’s browser due to a modification of the Document Object Model (DOM) of the web page. References: CISSP CBK Reference, 5th Edition, Chapter 6, page 331; CISSP All-in-One Exam Guide, 8th Edition, Chapter 6, page 301