[b0iler] | you can change the html of a page. dangerous for example if the | user is supposed to input their username and password, you can | change where the form is sent, making it instead a logging script | set up on your server. Imagine an application in which customers would register a request to transfer money from one place to another. The transfer request was stored in a database. Before the transaction took place, it would be confirmed by a trusted employee using a web interface to the database. The employee would eg. check that the source account was in fact owned by the person doing the request. The problem was that it was possible to insert scripts in descriptive fields. One could thus register the request with an invalid (someone else's) account, and include a script that would modify the web page to display a valid account. The trusted employee would read the account number given by the script, while the database still contained the forged account. 1-0 to the bad guy. Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 14:57:17 PST