Not yet, I don't have enough money to buy many presents right now. I know what to do, I'll use someone else's card online.
Have you bought any Christmas presents yet?
I see this website here has no Content Security Policy defined. I can post a comment on a forum, and inject some code into it.
I've posted a comment containing Javascript code, onto this webpage. The code is stored on the webserver's database backend. This is a Stored XSS attack.
This code will access their cookies, so I can pretty much assume their identity. I can log into their Amazon account an order presents.
Since the code is stored on the webpage, any time a user opens it, to code is retrieved and executed. I will get access to their session cookies
What happens when a user opens that webpage?
Lucky me, their account is open and their payment details are stored and ready to use. Let's get some presents.
Some one has opened the webpage, and my code has executed. I now have access to their cookies. Let's check if their Amazon account is open.