And hacker tricks like Cross-Site Scripting and Cross-Site Request Forgery allow some sites to steal the "cookie" files downloaded to your browser, giving hackers access to any past site you've visited (see "How the Web is Hacked").
By splitting his Web time between the two, Grossman argues it's less likely that an insecure site could use a trick like Cross-Site Scripting or Cross-Site Request Forgery to steal the "cookie" files that would allow access to the secure sites.
2008 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.
The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection.
However, it hasn't made much of an impact on browser attacks like HTML injection (aka cross-site scripting), cross-site request forgery (CSRF), clickjacking, or malware.
The Qualys Web Application Scanner finds these vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection.
Some of these attacks, namely, cross-site scripting (XSS) and cross-site request forgery (CSRF), rely on vulnerabilities in the web application that can be used to exploit users.
So-called "cross-site request forgery" can be used to steal information from many password-protected sites.
Cross-Site Scripting, and its related cousin, Cross-Site Request Forgery (XSRF), have led to attacks and exploits such as MySpace being taken down (via a worm, Sammy), data being stolen from 18 Million users of a Korean auction site, a Gmail weakness used to blackmail a domain owner and even an exploit targeted at changing the settings on a user's local broadband router.
