Validating the security credentials

The application stores each username in a local database.

A malicious user notices that the web application fails to sanitize the username field and inputs malicious Java Script code as part of their username.

When other users view the attacker’s profile page, the malicious code automatically executes in the context of their session.

When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials.

Suppose further that the data is not validated, filtered or escaped.

could put up a page that causes the following URL to be loaded in the browser (e.g., in an invisible The Cross-Site Scripting Cheat Sheet provides a summary of what you need to know about Cross-Site Scripting.

Exploiting human vulnerabilities (i.e., social engineering) is an approach widely used to achieve this goal.



The taxonomy defines a set of measurable criteria that are categorized according to different technological focus areas (e.g., applications and browsing) and within the context of psychological dimensions (e.g., knowledge, attitude, and behavior).

This should not be the case as XSS is easy to find and easy to fix.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>