Attack Vectors and Injection Points

XSS attacks begin with identifying injection points where user-controlled data enters the application. These injection points are numerous in modern web applications: URL parameters, form fields, HTTP headers, file uploads, cookies, and even external data sources like APIs or databases that might contain malicious content. Each injection point represents a potential vulnerability if the application doesn't properly handle the data before including it in web pages.

Consider a vulnerable web application that displays user comments. The application might use code like echo "<div>$userComment</div>" without sanitization. An attacker could submit a comment containing <script>malicious_code()</script>, which the application faithfully includes in the HTML sent to other users. When browsers parse this HTML, they encounter the script tag and execute the malicious code. The injection doesn't require sophisticated techniques – it exploits the application's failure to distinguish between data and code.

More subtle injection vectors exist beyond obvious script tags. Attackers can inject JavaScript through event handlers like <img src=x onerror="malicious_code()">, HTML attributes like <div onclick="malicious_code()">, or even CSS with <style>body{background:url('javascript:malicious_code()')}</style>. Modern browsers have eliminated some vectors like JavaScript in CSS, but creative attackers constantly discover new injection techniques. The variety of injection vectors means developers must be vigilant about all places where user data enters their applications.