One of the most common questions I receive when doing appsec consulting revolves around cross-site scripting. Specicially, I am asked constantly why it is that stealing a cookie via reflected cross-site scripting has so many steps. If the goal is to get a victim to run a malicious script that steals cookies, and the attacker has to send the victim a link anyway...why not just send them a link to a script and be done with it? Why waste time with all this reflection?

My latest post on the HP Application Security blog.