Which programming language are attack scripts typically written in when targeting web browsers through XSS?

Attack scripts that target web browsers through Cross-Site Scripting (XSS) vulnerabilities are typically written in JavaScript. This is mainly because JavaScript is the scripting language that browsers natively understand and execute. When an attacker exploits an XSS vulnerability, they inject malicious JavaScript into a website, which then runs in the browser context of unsuspecting users. The ability of JavaScript to manipulate the Document Object Model (DOM) and perform various actions within the browser (such as generating unauthorized requests, stealing cookies, or displaying deceptive content) makes it the preferred choice for these types of attacks.

While other programming languages like HTML, Python, and Java can play roles in the broader context of web development or server-side scripting, they do not possess the same capability to manipulate the client-side behavior of web applications directly within users' browsers as JavaScript does. HTML is primarily a markup language used for structuring content, while Python and Java are more commonly used for back-end programming or as application programming languages rather than for direct browser-based scripting.