Exploiting Web Application Vulnerabilities
Web applications are complex ecosystems consisting of application code, web platforms, operating systems, databases, and interconnected application programming interfaces (APIs). The complexity of these environments makes many different types of attack possible and provides fertile ground for penetration testers. We’ve already looked at a variety of attacks against web applications, including injection attacks, session hijacking, directory traversal, and more. In the following sections, we round out our look at web-based exploits by exploring cross-site scripting, cross-site request forgery, and clickjacking.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.
Reflected XSS
XSS attacks commonly occur when an application allows reflected input. For example, consider a simple web application that contains a...