First, a quick review of Cross Site Scripting.
Imagine that I want to get your website to serve up malicious content for me.
Say, perhaps, that I want to alter your “Pay Now” page so that the customer sees a credit card payment form that comes from you, looks legitimate, seems secure…
…but sends the form data back to me instead.
One way is to hack right into your web server and modify your content delivery system.
Another way – a method that is generally much easier to pull off once you know how to do it – is to trick your website into “echoing back” data that I supplied remotely, but setting that data to be the malicious content I want to display.