XSS exploits the server to target its visitors rather than the server itself. Attackers inject uncleaned JavaScript values that, when executed by unsuspecting users who click malicious links or visit compromised resources, run the attacker’s code in the users’ browsers. For instance, Eve could send a link to Alice containing the XSS attack.
This attack, called Reflected XSS, occurs when Eve discovers a vulnerability and sends a malicious link to an unsuspecting user. When the user clicks the link, the attack is executed, causing the web server to reflect the attack back to the victim.