Session hijacking, XSS and CSRF
Session (or cookie) hijacking
In hijackings, the attacker uses an exploit on a device to take over a session between this device and a host. It disconnects then the device from the communication. The server still believes that it is communicating to the original device and sends private information to the attacker.
Cross-site scripting ("XSS")
Companies like Twitter, Facebook, MySpace or YouTube have experienced XSS attacks in different forms, that represent one of the main threats to the net.
Cross-site request forgery ("CSRF")
Successful CSRF attacks are little documented. Nevertheless, a european bank allowed illicit money transfers due to a CSRF attack, and hackers infiltrated an asian telecom operator system to steal 8 million customer coordinates with a similar attack.
Unlike cross-site scripting (XSS) which exploits the trust a device has for a particular server, CSRF exploits the trust that a server has in a user's browser or hybrid app. In a first step, the user connects to a known server and authenticates himself. Then he is pointed to a malicious server, which injects a script into the user browser or the hybrid app. This script tricks the device to send an action request to the previous server. If the targeted server keeps the user authentication information in a cookie and the cookie hasn't expired, the action may succeed.