The Browser Execution Context

Modern web browsers are sophisticated execution environments that process HTML, CSS, and JavaScript to create interactive web experiences. When a browser receives an HTML document, it begins parsing the content, building the Document Object Model (DOM), and executing any scripts it encounters. This execution happens in a specific context with access to various browser APIs, cookies, local storage, and the ability to make network requests. Understanding this execution context is crucial because XSS attacks succeed by injecting code that runs within this trusted environment.

The browser's JavaScript engine doesn't distinguish between legitimate scripts from the web application and injected malicious scripts. Both execute with the same privileges and access to the same resources. When a page from example.com contains JavaScript, whether legitimate or malicious, that script can access all cookies for example.com, read and modify the page's DOM, make XMLHttpRequests to example.com endpoints, and access other same-origin resources. This powerful execution environment becomes a weapon in the hands of attackers who successfully inject malicious scripts.