Ch4 - 4.04 - Understanding Application Attacks

Question 1

Cross-Site Scripting (XSS)

Answer 1

Cross-site scripting is a popular form of attack that involves the hacker inserting script code into a form on a web page and submitting the script code to the server.

The idea here is not to attack the server, but to have the server feed that script to another client, which parses the script and executes it.

A simple example where cross-site scripting can occur is if the hacker submits the script code in a field that is stored in a database. When another person visits the site, the web server will return the data in the database and send it to the client browser—this code will then be parsed and executed by the client.

Question 2

Cross-Site Request Forgery (CSRF)

Answer 2

Cross-site request forgery, CSRF or XSRF for short, is an attack that targets a user who is already authenticated to a web site, such as a bank site to do online banking.

The user is then tricked by a hacker to run a web page; for example, the hacker sends an e-mail message to the user and tricks the user into clicking a link. The malicious web page loads and sends commands (form submission) to the bank site that the user is already logged in to.

The end result is the user unknowingly could be transferring money to the hacker’s account.