# Cross-Site Scripting (XSS)

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FyXsQT8FBZWASUhdHL8Aq%2Fimage.png?alt=media&#x26;token=0fb4a7aa-e78d-4fc4-9601-285291a221aa" alt=""><figcaption></figcaption></figure>

First we tried entering a normal name to the website

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FCuResBEzqWHjOiiSQ58B%2Fimage.png?alt=media&#x26;token=fb642977-f8f5-43dc-a159-c4c444fd1ad7" alt=""><figcaption></figcaption></figure>

Then we will now insert our malicious code which is XSS attack

```
#"><img src=/ onerror=alert(document.cookie)>
```

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2Fknb7vs8RaExzytJAtq0z%2Fimage.png?alt=media&#x26;token=764d796b-732c-4985-8f06-594e6a0d93bf" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FQTACMMJjJOljU0c9Gjmg%2Fimage.png?alt=media&#x26;token=eaf0e5c0-c234-4fc0-811e-5d686c63a721" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FspSsZlGfwHUHDcVaYGGY%2Fimage.png?alt=media&#x26;token=6fcf15cb-7102-450e-b482-44ca5eda904d" alt=""><figcaption></figcaption></figure>

1. `">`: This part could be the closing tag of an HTML attribute value or element.
2. `<img src=/`: This starts an `<img>` tag with the `src` attribute set to `/`, which typically refers to the root directory of the website.
3. `onerror=alert(document.cookie)`: This is where the actual attack takes place. The `onerror` attribute is an event handler that triggers if an error occurs while loading the image. In this case, the error is intentionally caused by providing an invalid `src` attribute value. When the error occurs, the JavaScript code `alert(document.cookie)` is executed. This code pops up an alert dialog displaying the value of the `document.cookie` property, which contains all the cookies associated with the current website. This is a common technique used in XSS attacks to steal sensitive information like session cookies.

<figure><img src="https://3402520177-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6s691pQpzN41rNo5Bip4%2Fuploads%2FgCU8C3GQ1WcYOjsvR2kU%2Fimage.png?alt=media&#x26;token=71e34afd-3d6a-4e71-aaa7-2ceceb0b5cf9" alt=""><figcaption></figcaption></figure>