Cross site scripting is another vulnerability commonly seen in HTML markup implementations. The idea is that the HTML contains the direct input from the request, either via form submission or URI parameter.
Notice that for each item and the link, there is an URI parameter input.
<ul>
<li><a href="message.cgi?say=Hello">Say Hello</a>
<li><a href="message.cgi?say=Welcome">Say Welcome</a>
<li><a href="message.cgi?say=Kittens">Say Kittens</a>
</ul>
If the server does not validates those parameters and print as it is, attacker can perform attack by making the following request:
http://example.com/message.cgi?say=%3Cscript%3Ealert%28%27Oh%20no%21%27%29%3C/script%3E
This can create unknown havoc to the server.
One type model is SQL injection: by injecting SQL instructions. This includes data extractions, create bypass or even destroy databases depending on the attacker's intention.
Sending instruction to cause service destruction and sabotage.
To counter this vulnerability, we practice: