By using a vulnerability on the WebCourses (http://courses.ced.tuc.gr/ or http://courses.ece.tuc.gr/), we can inject custom javascript code on the page without the logged in user even noticing. The page calls the WebCourses's api to save the last page on WebCourses visited and feed the webserver with the custom code. Then the page loads the WebCourses so that it can execute the code injected while it loads the last page visited from the WebCourses api. Here is a demo using the XSS to steal user's information and sent them to the attacker.