Web applications provide end users with client access to server functionality through a set of Web pages. These pages often contain Javascript code to be executed dynamically within the client web browser. However, Web applications, such as web browsers, are subject to attacks, such as cross-site scripting, or cookie theft, among many others.
Of the current attacks on web applications, script injection based attacks are by far the most common. A script injection vulnerability may be present whenever a web application includes data of uncertain origin. In a typical attack, malicious data with surreptitiously embedded scripts is included in requests to a benign web application server. Later, the server may include that data and scripts in web pages it returns to unsuspecting users. Since web browsers execute scripts on a page with web application, these returned scripts can give attackers control over the user's web application activities and/or client devices.