XSS is an attack that allows you to inject and execute malicious HTML or JavaScript. This can be used to steal critical data (for example, session data) from cookies. As the code is executed in the context of a vulnerable application, this allows you to perform other attacks such as phishing, keyboard login, or redirecting the user to a malicious website. In the case of "stored Cross-Site Scripting" the injected code is permanently placed in the application, which makes it more dangerous than "Reflected Cross-Site Scripting" where the attacker must send the victim a specially prepared link.
One of the applications studied identified many parameters that were susceptible to javascript injection. The following is an excerpt from the request with the malicious code marked in red. It performs an action that displays an Alert notification,and it only targets documentation that such an attack is possible. During a real hacker attack, most often using XSS steals a session cake.
In the figure below, you can see the execution of malicious code in the victim's browser through an action that displays an Alert notification.
