• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

cross site scripting

 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've been googling about cross site scripting. for now, I understand that it's a form of injecting malicious script into some input field which will then be saved into database. Can anybody show me why this is harmful? lets say I'm opening a personal information screen to apply for an online shopping website membership, I type in some malicious script into the first name field and submitted the form. the first name field will then be persisted to the website's database, so where's the harm? I'm still not following. can anybody please enlighten me on this issue? thanks
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the http://www.coderanch.com/how-to/java/SecurityFaq#web-apps points to a couple of them that discuss XSS at length.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just found out that cross site scripting can be used to steal your session. how does this work? Does the hacker need to have access to the victim's computer in order for this to work? thanks
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34839
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David,
A XSS attack can send your session cookie to the hacker. See this OWASP page for other ways a hacker could steal your session cookie. And the attacker does not need access to the victim's computer for this to work.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic