<form name=BillPayForm action=http://bank.com/BillPay.php> <input name=recipient value=badguy> ... <script> document.BillPayForm.submit(); </script>
cross-site scripting
– user trusts a badly implemented website
– attacker injects a script into the trusted website
– User’s browser execute attacker’s script
cross-site request forgery
– a badly implemented website trusts the user
– Attacker tricks user’s browser into issuing request
– website executes attacker’s requests
Structured Query Language(SQL)
widely used database query language
retrieve a set of records, e.g.,
SELECT * FROM Person WHERE Username=’Lee’
