Here is an example of how Cross-Site Scripting (XSS) can result in sensitive information being stolen by an attacker.
Imagine an attacker posts an image to the comments section of a news article with:
<img src="https://ks92.co/monster" alt="A picture of a cookie monster" />At first glance it looks legitimate and other users can see the picture displayed correctly. What could possibly go wrong? Tricking browsers into loading a resource from an untrusted source opens the door to XSS attackers. The image source URL could return a JavaScript file that steals all the information from your browser, including the cookie session or potentially authentication tokens to other services. The final returned image is only a side effect of the script. Once a JavaScript file is loaded onto a webpage, it has full control over the HTML and can read all the information on the page - that’s how tracking pixels work, after all.