An XSS scenario requires three vectors: a web application, a victim, and an attacker.

In a conventional scenario, the attacker's aim is to impersonate the target by stealing the session cookie. Then, the attacker sends the cookies to the server by posing as the user itself, which results in the session hijacking:

1. The attacker initially injects malicious JavaScript in the website's backend
2. The victim sends an HTTP request to the web page where the malicious JavaScript is stored
3. The application's malicious JavaScript web page is displayed in the victim's browser, along with the attacker's payload, as the HTML content in the page
4. The victim's browser then executes the malicious JavaScript inside the HTML body, making it easier for the attacker to steal cookies