# Computer Security - lesson 11
#### Stefano Zanero
###### 6 May 2016
## Web Application Security
The typical target of web attacks are the browser of the users
and the data on the server.
It is the current trend to offer software not anymore as clients
but as web applications, this is true for SaaS and Corporate Intranets.

The core of navigation is going through pages carrying over a state
But that's an illusion in HTTP pages because it is intrinsecally stateless.
So we're building __stateful__ interaction over HTTP that is __stateless__
Also HTTP doesn't support __authentication__ by itself, so it is 
implemented in the application.

> People make mistakes.
And the fact that web applications have the view side not under the
control of the programmer, in fact it runs inside the browser

__SOP__ is a common policy adopted by browsers and consists of allowing scripts
coming from a website to access only data from that website.

__XSS__ or __cross site scripting__ is the technique of putting in a textbox
a javascript executable code marked as `<SCRIPT>` that will be executed in
the client and violate the __SOP__ policy to access data or perform operations
on the attached site from the client.