Cross-site Scripting (XSS) is a client-side code injection attack wherein the malicious scripts are executed in a web browser by including malicious code in a legitimate web page or web application. It can also occur when an individual clicks on untrusted links that can pass cookies and other sensitive information to attackers.
The attack happens when you visit a webpage or a web app that executes malicious code. Hence, the webpage or web app becomes a vehicle to deliver malicious scripts to the browser of a user.
The most commonly used vehicles for cross-site scripting attacks are forums, message boards, and even web pages that encourage users to comment.