code injection

Code injection

Code injection into a user-accessible text field

This is the biggest risk for the modern social web, because nearly every website has a comment or feedback form where visitors can enter content and post it to your page for other visitors to see. Now, what happens when you type some Javascript into a comment form on your blog and post it? How about an SQL database query, or some rogue PHP code? How about accessing your site with the malicious code in the address bar?

Attackers will look for any vector that can be used to sneak a line of executable code onto your web server. Remember, all they need is to get one line through, and they’ve got a foothold. For example, an HTML tag called ‘iframe‘ can be used to embed another web page into the host web page. Setting the iframe’s attributes to ‘width=0’ and ‘height=0’ can keep it hidden. But the target of the iframe might be a web server on the other side of the world with a Javascript attack that will steal your user’s data or install malware on your user’s computer. This is just one of the many tricks out there.