Script injection attacks occur when a hacker takes a few
lines of malicious programming code and enters it in to a form on our Website
and then submits the form. If the Website is data driven then chances of risk
is more on the Website. Hackers will often inject scripts in to our forms to
try and make the system fooled in to thinking that they are valid users in
order to delete data or change data or access data from database.
The basic technique for a script injection attack is for the
client to submit content with embedded scripting tags. These scripting tags can
include <script>, <object>, <applet>, and <embed>.
Although the application can specifically check for these tags and use HTML
encoding to replace the tags with harmless HTML entities, that basic validation
often is not performed.