XSS

In the web security class this week, I learned another class of attacks: cross site scripting attacks, or XSS for short. What is XSS? In essence, an XSS attack occurs when site A manages to get a script that it wants to run into site B. An example of a reflected XSS is as follows: Evil.com gets Joe to click on a malicious link. That link then directs Joe to a bank.com domain, along a query parameter (e.g. bank.com?q=BALANCE). Evil.com knows that bank.com’s code is badly written, such that anything sent along the query parameter will be reflected in the html file, unsanitized. As such, it injects <script>sendcookies</script> into the query. When the HTML page loads, the script is ran, and Joe’s cookies are then sent to Evil.com. ...