Cross-site scripting (XSS) is the most popular avenue for attack against the corporate internal network. XSS remains the most popular attack against the masses because it is easy to find and to launch, while the consequences of the attack can be devastating. Although the scope of this chapter is beyond simple XSS tactics, no discussion of client-side exploitation would be complete without a mention of XSS. This section assumes that the reader is familiar with the concept of XSS. The goal of this section is to illustrate how sophisticated attackers today are able to leverage the most out of XSS vulnerabilities.

The amount of data that is passed between users and online applications is staggering. It seems that every significant business function has a web interface to manage various business actions and peruse data. The enormous amount of sensitive information passed in online transactions makes online data theft appealing and lucrative. Of the various online attacks, XSS remains one of the most prolific. Although numerous XSS attack techniques exist, this section will cover a few examples of attacks that focus on stealing user information. These attacks will progress in complexity and can be used as a foundation for more advanced, targeted attacks.