A threat to the security of many web applications today is imposed by a software exploitation technique commonly known as “cross-site scripting.” Generally speaking, cross-site scripting is a process through which a malevolent individual may compromise the security of a web application by posting malicious web script code onto a web site via the web application's own user interface. The intent of a cross-site scripting attempt is to upload the malicious web script onto the web site in the hope that this malicious payload will be delivered to the web browsers of unsuspecting users that happen to browse to locations where the malicious payload has been placed.
In the event that an attacker has successfully executed a cross-site scripting attack to deliver a malicious payload to an unsuspecting user's web browser, the attacker may use the malicious payload to retrieve and hijack the user's common gateway interface (CGI) session identifier (ID). Generally speaking, a CGI session ID is an identifier that enables the user to engage in a secured web session with a web site and/or web application. When the attacker has hijacked the user's CGI session ID, the attacker may connect to the web site and/or web application and submit the compromised CGI session ID in an attempt to impersonate the unsuspecting user.