There is one attack that rivals XSS, both in ease of exploitation as well as prevalence. Cross-site request forgeries (CSRF or sometimes called XSRF) are a simple attack that has huge impacts on Web application security. Let's look into what a simple cross domain request might look like in an iframe:

Although this particular example is innocuous, let's pay special attention to what the browser does when it encounters this code. Let's assume that you have already authenticated to somebank.com and you visit a page with the code above. Assuming your browser understands and renders the IFRAME tag, it will not only show you the banking Web site, but it will also send your cookies to the bank. Now let's ride the session and perform a CSRF attack against somebank.com:

The above code simulates what a CSRF attack might look like. It attempts to get the user to perform an action on the attacker's behalf. In this case, the attacker is attempting to get the user to send one million dollars to account 123456. Unfortunately, an IFRAME is not the only way a CRSF attack can be performed. Let's look at a few other examples:

In these three examples, the type of data that the browser expects to see is irrelevant to the attack. For example, a request for an image should result in a .jpg or .gif Tile, not the HTML it will receive from the Web server. However, by the time the browser...