This week's giveaway is in the Spring forum.
We're giving away four copies of REST with Spring (video course) and have Eugen Paraschiv on-line!
See this thread for details.
The moose likes Security and the fly likes cross site scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "cross site scripting" Watch "cross site scripting" New topic

cross site scripting

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 331
I've been googling about cross site scripting. for now, I understand that it's a form of injecting malicious script into some input field which will then be saved into database. Can anybody show me why this is harmful? lets say I'm opening a personal information screen to apply for an online shopping website membership, I type in some malicious script into the first name field and submitted the form. the first name field will then be persisted to the website's database, so where's the harm? I'm still not following. can anybody please enlighten me on this issue? thanks
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42959
The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the points to a couple of them that discuss XSS at length.
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 331
I just found out that cross site scripting can be used to steal your session. how does this work? Does the hacker need to have access to the victim's computer in order for this to work? thanks
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 32815

A XSS attack can send your session cookie to the hacker. See this OWASP page for other ways a hacker could steal your session cookie. And the attacker does not need access to the victim's computer for this to work.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
I agree. Here's the link:
subject: cross site scripting
jQuery in Action, 3rd edition