An attack where malicious JavaScript gets injected into a page and runs in other users' browsers, where it can steal things like session tokens. HttpOnly cookies are one layer of defense, since JavaScript can't read them even if an XSS attack lands.