The majority of interesting attacks against web applications involve targeting the server-side application itself. Many of these attacks do of course impinge upon other users — for example, an SQL injection attack that steals other users' data. But the essential methodology of the attacker is to interact with the server in unexpected ways in order to perform unauthorized actions and access unauthorized data.

The attacks described in this chapter are in a different category, because the primary target of the attacker is the application's other users. All of the relevant vulnerabilities still exist within the server-side application. However, the attacker leverages some aspect of the application's behavior in order to carry out malicious actions against another end user. These actions may result in some of the same effects that we have already examined, such as session hijacking, unauthorized actions, and the disclosure of personal data. They may also result in other undesirable outcomes, such as logging of keystrokes or execution of arbitrary commands on users' computers.

Other areas of software security have witnessed a gradual shift in focus from server-side to client-side attacks in recent years. To take one example, Microsoft used to announce serious security vulnerabilities within their server products on a frequent basis. Although numerous client-side flaws were also disclosed, these received much less attention because servers presented a much ...