The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

kumarjayanti (8) [Avatar] Offline
#1
Hi Justin

Had a question about XSS attack described in page 142

----
In order to exploit this, an attacker would forge a malicious URI pointing to the protected resource:
http://localhost:9002/helloWorld?access_token=TOKEN&language=<script>alert(
'XSS')</script>
When the victim clicks on it, the attack is completed, forcing the JavaScript to execute
----

My doubt is : the attacker does not have the access_token at this point, so in the above URL what is the value of TOKEN that the attacker would include ?.

Thanks.
Justin Richer (58) [Avatar] Offline
#2
It doesn't have to be the victim's access token, just one that the attacker can leverage as part of the API.