I am learning about "Session fixation" and have read the corresponding OWASP page.
In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:
http://website.kom/<script>document.cookie=”sessionid=abcd”;</script>
I tried this with an embedded <script>alert("XSS!!");</script>
, but as expected, it did not work.
Is there ANY way, an URL can run embedded JavaScript?
Note: This question is somewhat similar to Execute reflected XSS in URL, but I am talking about scripts in the URL, not from a HTTP header.