developerWorks: Prevent a Cross-Site Scripting Attack
Feb 09, 2004, 10:00 (0 Talkback[s])
(Other stories by Anand K. Sharma)
"Most existing browsers are capable of interpreting and
executing scripts -- created in such scripting languages as
downloads from the Web server. When an attacker introduces a
malicious script to a dynamic form submitted by the user, a
cross-site scripting (XSS) attack then occurs.
"An XSS attack leads to undesirable effects. For example, the
attacker gains the ability to capture the session information, peer
into private user details such as ID, passwords, credit card
information, home address and telephone number, social security/tax
IDs, and so on. If the targeted Web site doesn't check for this
type of malicious code, misuse of the user is probable..."