Cross-Site Scripting

Gather session information of a victim user, Ex: administrator

t is sometimes possible to conduct a replay attack—using the session information

Injecting “Alert” script into database

Once saved, an alert window will appear with the session ID information

After we have successfully injected our script we wait until someone else visits Tom’s information

use JavaScript or another programming language that imbeds into HTML to send the session ID