Inline security of web applications and those of desktop applications developed to interact using third-party web plugins has increased the level of controls that should be in place. Apart from injection attacks (SQL injection) there is another attack vector becoming more clearer called 'XSS' or 'Cross Site Scripting'. In basics this attack vector has three main divisions for itself:
1. DOM-based XSS
DOM-based XSS usually works on victim local machine as soon as malicious website will be visited.
Non-Persistent XSS work with the crafted code/URL being executed to generate the dynamic page with attacker's choice of code. This happens when there is no sanitization of a user input (i.e. search engines). This type of XSS attack works as far as the crafted URL with pre-defined code get executed by victim browser.
Persistent XSS permanently stays on the malicious website, waiting to be executed on the victim machine. It can take a form of a worm or any other malware served to its visitors.
Affect on Financial Applications
From practical point of view, it is possible to successfully steal the user's bank cookies and get over the session in one way or another. There is another way around with similar approach of transfering the $$amount from exisiting authenticated user session using crafted URL (if the bank allows those transfers without any pre-confirmation screen).
For more info: http://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zip
A sample screenshot taken from "xssed.com" shows the major commercial and Government organizations websites are affected under this threat. Although, it could only be a few listed there but more can be known as soon as Web Pen-Testing is progressing.
XSS and other injection attacks can be filtered at application layer by following some tactics as below:
-Sanitizing the user input for malicious characters.
-To make sure that web application return user values using HTML entities (instead of tags) and only after checking for malicious code.
-Using a WAF technology (Web Application Firewalls) like 'ModSecurity'.