Web applications provide end users with client access to server functionality through a set of Web pages. These pages often contain script code to be executed dynamically within the client Web browser. Most Web applications aim to enforce security policies, such as, for Web-based e-mail, disallowing any scripts in untrusted e-mail messages. However, Web applications are subject to attacks, such as cross-site scripting, cookie theft, session riding, browser hijacking, and self-propagating worms.
Of the current attacks on Web applications, those based on script injection are by far the most common. For example, script injection is used in cross-site scripting and Web application worms. A script injection vulnerability may be present whenever a Web application includes data of uncertain origin in its Web pages, e.g., a third-party comment on a blog page is an example of such untrusted data. In a typical attack, malicious data with surreptitiously embedded scripts is included in requests to a benign Web application server. Later, the server may include that data and scripts in Web pages it returns to unsuspecting users. Since Web browsers execute scripts on a page with Web application authority, these returned scripts can give attackers control over the users' Web application activities and/or client devices.