I've been googling about cross site scripting. for now, I understand that it's a form of injecting malicious script into some input field which will then be saved into database. Can anybody show me why this is harmful? lets say I'm opening a personal information screen to apply for an online shopping website membership, I type in some malicious script into the first name field and submitted the form. the first name field will then be persisted to the website's database, so where's the harm? I'm still not following. can anybody please enlighten me on this issue? thanks
The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the http://www.coderanch.com/how-to/java/SecurityFaq#web-apps points to a couple of them that discuss XSS at length.
Joined: Feb 01, 2014
I just found out that cross site scripting can be used to steal your session. how does this work? Does the hacker need to have access to the victim's computer in order for this to work? thanks
A XSS attack can send your session cookie to the hacker. See this OWASP page for other ways a hacker could steal your session cookie. And the attacker does not need access to the victim's computer for this to work.