Attacks on the client-side context

Abstract

Using attacks on the client-side context, the attacker can gain control over the target application running in the user’s browser. This allows him to steal the user’s sensitive information and manipulate the user’s actions. From the Web application’s point of view, these actions are indistinguishable from legitimate user actions. In this chapter, we investigate three ways of attacking the client-side context. The first is cross-site scripting (XSS), a very common and well-known attack, where the attacker injects JavaScript into the target application’s context. Second, we discuss scriptless attacks, which take the idea behind XSS, but use non-scripting technology to extract data or modify the application’s behavior. Finally, we investigate the dangers of remote script inclusions, which are ubiquitous on the Web, but prone to compromise.