Cross-Site Scripting (XSS/CSRF) Flaws

Cross-site scripting (XSS) refers to injection of malicious scripts on trusted websites. XSS enables attackers to inject client-side script into web pages viewed by other users. For example, imagine a victim is using a web application (e.g., email or an e-commerce site) and is currently logged in to the account. If malicious code is present while the victim is logged in, that code sends the session information to the attacker's email account. The attacker can then tap into the user's session and log in while the victim is still using the application. This is an example of session hijacking using XSS.

Since XSS flaws are common in current web applications, the vulnerabilities are used by attackers to get unauthorized access to sensitive data.