|
|
|
A cross site scripting (CSS) attack can occur when the input text from the browser (typically, data from a post, or data from query parameters on a URL) is displayed by an application without being filtered for characters that may form a valid, executable script when displayed at the browser.
An attack URL can be presented to unsuspecting users. When the web server receives the request, an application may return to the browser a display that includes the input characters, perhaps along with an error message about bad parameters on the query string. The display of these parameters at the browser can lead to an unwanted script being executed on the browser.
For example, when a user types news into a search engine web page, the application normally might return a blank field, or a response, such as:
Your search for news returned the following:
However, in response to an attack URL, the browser might receive a response, such as:
news< script>BadProgram< /script>
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |