Cross-site scripting (“XSS”) is a form of cyber attack involving a filtering vulnerability on a web site; such vulnerability allows an attacker to perform scripting operations on a web browser. Often, those scripting operations are meant to hijack the web browser, typically by recovering the user's stored cookie values or causing the browser to directly access URLs to perform actions upon the web site.
One common avenue of exploiting XSS vulnerability is to cause the user to execute a script code, e.g., a JavaScript code that will collect the user's cookie values and send them to a remote server. An attacker will generally accomplish this by social engineering techniques, e.g., enticing the user into clicking on a URL on a web page, instant message, or HTML based email message that, unbeknownst to the user, causes the browser to execute the script. Once the user unknowingly executes the attacker's script, data from the user's machine is then forwarded to a server controlled by the attacker. When this occurs, the process of sending the values to the remote server is typically done via appending the user's cookie values as query parameters to a dynamically generated GET request.