Malicious instructions (script) are injected into otherwise innocent and trusted web sites, allowing the attacker to modify the web page to suit the attacker’s objectives.