Which attack involves injecting a browser script into a website that runs in the victim's browser and can perform actions on the target site on behalf of the user?

Cross-Site Scripting happens when an attacker injects malicious script into a web page so that the victim’s browser executes it. That script runs in the context of the user’s session, which means it can access the user’s cookies or tokens and perform actions on the target site on behalf of the user. The result is that the attacker can manipulate the site as the logged-in user, steal session data, or extract sensitive information. This differs from other options: a CSRF attack doesn’t inject code into the page but tricks the user’s browser into submitting unwanted requests using the user’s authenticated session. An SQL Injection targets the server’s database by manipulating queries, not by running code in the user’s browser. Clickjacking hides or overlays UI to trick the user into clicking something, without executing scripts in the victim’s browser.