An XSS (Cross Site Scripting) Attack is a attack in which a script is injected in a webpage by attackers. The script can do anything that is possible like sending the personal data of the users to attackers or causing unexpected behavior on the page. This mainly is done by injecting
<script> tags or any other element with an event handler. For example an
<img> tag with an invalid src attribute and a onerror event handler containing the real script.
According to Wikipedia 68% of websites are likely open to XSS attacks.
Common Ways of Attacking
One of the easiest and most popular way to inject scripts is through input boxes whoose content get stored on a server and are not validated on the server side. (Note: Client side validations can be bypassed.)
Another common way is to include it as a part of a URL which will get embedded in the page. For example
There is also a phishing technique names Self-XSS in which the user is convinced to execute certain code in the browser console.
Also, if the attackers somehow make the browsers misinterpret the character encoding like UTF-7 (not to be confused with UTF-8) text appearing harmless to the server can become harmful.
The only way to prevent XSS attacks is by escaping all the text being embedded into the page and sanitizing unsafe content. For example converting
< . Care also needs to be taken that the character encoding is correctly defined.