The only method for the attacker to run his mean JavaScript in the
victim's browser is to insert it into one of the pages that the victim
downloads from the website. This can happen if the website nonstop includes
user input in its pages, because the attacker can then insert a thread that
will be treated as code by the victim's browser.
In the example below, a
simple server-side script is used to display the latest comment on a website:
print "<html>"print "Latest comment:"print database.latestCommentprint "</html>"
The
script accepts that a comment consists only of text. However, since the user input
is included directly, an attacker could give in to this comment: "
<script>...</script>". Any user visiting
the page would now accept the following reply:
<html>
<script>...</script>
</html>
Latest comment:<script>...</script>
</html>
When
the user's browser loads the page, it will perform whatever JavaScript code is controlled
inside the
<script> tags. The attacker has now do well with his attack.
0 comments:
Post a Comment