One of the most annoying things for many users is filling in form fields on websites. It’s tedious for them to type the same information over and over again, especially when it’s something a simple as a their personal information like name, phone number, address, credit card number, expiration date, and the like. Unfortunately this can spell trouble for many users who use websites that are vulnerable to XSS.
Some (not all) automated input automation tools do so blindly. That is, they don’t ask for user input when they input data. In fact they don’t really do much validation at all, except the names of the common form fields. So what does the attacker do? They create a form submission inside their XSS script with all the common field names that they are interested in. Once the automated input box enters all that information it captures it and logs it.
The best part is the form submission does not have to be visible. In fact, it probably works better if it’s not, because then it is highly unlikely to raise suspicions. It’s really not phishing, as it doesn’t actually require the user to believe anything, as the social engineering portion of the attack is not there (assuming the XSS itself doesn’t require it). As such you can steal user information through any page, as long as the automatic form submission requires no user input to fill the form.