Cross-site scripting (XSS) attacks occur when malicious scripts are injected into otherwise benign websites. An attacker can use XSS to send a malicious script to an unsuspecting user, giving the script access to cookies and other sensitive information. XSS attacks are successful because most programmers do not apply encoding to user input, allowing injected scripts to be rendered and executed by the user's browser.