I'm mainly server sided. I haven't worked with JS that much before.
My coworker was talking about BeeF and how it basically controls the victims browser just by a simple xss attack.
I was wondering how it's possible. Javascript only executed when the user is on that page correct? So when the user leaves that page, how can they still be controlling their browser if the JavaScript isn't running? Because BeeF documentation says the malicious javascript checks for commands every once in a while but it's not possible if the user isn't on that page with the malicious javascript.