The Web application is vulnerable to cross-site scripting (XSS), which allows attackers to take advantage of
This vulnerability is often caused by server-side scripts written in languages such as PHP, ASP, .NET, Perl or Java,
which do not adequately filter data sent along with page requests or by vulnerable HTTP servers.
This malicious code appears to come from your Web application when it runs in the browser of an unsuspecting user.
An attacker can do the following damage with an expoloit script:
- access other sites inside another client's private intranet
- steal another client's cookie(s)
- modify another client's cookie(s)
- steal another client's submitted form data
- modify another client's submitted form data before it reaches the server
- submit a form to your Web application on the user's behalf that modifies passwords or other application data
The two most common methods of attack are:
- Having a user click a URL link sent in an e-mail
- Having a user click a URL link while visiting a Web site
In both scenarios, the URL will generally link to the trusted site, but will contain additional data that is used to
trigger the XSS attack.
Note that SSL connectivity does not protect against this issue.