Tabbed browsing: Tabbed
browsing is an attribute of the Web browsers which allow the users to
view multiple web sites on a single window instead of opening new
browser window. These extra web pages are represented by tabs at the
top of the browser window.
Imagine
that you logged into Facebook server and visits a malicious website
in the same browser, although on different tab. In absence of the
same origin policy (SOP), an attacker can go through your profile and
other sensitive information with the help of JavaScript. For example
read private messages, send fake message, read you chats, etc.
SOP: The
same-origin policy is an important concept in the web application
security model. Under the
policy, a web browser permits scripts contained in a first web page
to access data in a second web page, but only if both web pages have
the same origin.
XHR: XML
HTTP Request is an API in the form of an object whose methods
transfer data between a web browser and a web server.
→
Update a web page without
reloading the page
→ Request data from a server – after the page has loaded
→ Receive data from a server – after the page has loaded
→ Send data to a server – in the background
CSRF: Cross-site
request forgery also known as single-click attack or session
traversing, in which a
malicious website will throw a request to a web application that the
user is already authenticated against from a different website. This
way an attacker can access functionality in a targeted web
application via the victim’s already authenticated browser.
