■ Attacking other users instead of the server or application

■ Running malicious code with cross-site scripting (XSS)

■ Executing malicious commands with cross-site request forgery (CSRF)

■ Attacks that can’t be stopped: how the Social-Engineer Toolkit (SET) makes you a rock star

Introduction

The target for web hackers has shifted away from the web server and web application and squarely on the web user. Some web user attacks rely on web application vulnerabilities, while other attacks don’t require any existing application vulnerability to be successful, but they all rely on the user unknowingly making a malicious request. Regardless of how the attack is delivered, the payload is executed on the user’s machine ...