Dynamic websites suffer from a threat that static websites don’t, called “Cross Site Scripting” (or XSS). Attackers canl inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application - often to gather information from users. Imagine yesterday’s example only more advanced and as part of a phishing scam - (fraud is not cool).
From osvdb.org
ATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity.
The XSS-Proxy website at sourceforge is a great starting point for getting a primer on XSS and for understangind cross site scripting attacks.
Leave a Reply
You must be logged in to post a comment.