Which type of attack occurs when an attacker uses malicious code in the data sent in a form?

The type of attack where an attacker uses malicious code in the data sent in a form is known as Cross-site scripting (XSS). In this type of attack, the attacker injects malicious scripts into web pages viewed by other users. When users interact with these compromised pages, the malicious scripts execute within their browsers, potentially leading to session hijacking, theft of sensitive information, or other harmful actions.

XSS specifically targets the client-side, taking advantage of the web application’s trust in user input and executing scripts within the context of the victim's session. This can happen when input fields (such as those found in forms) do not properly sanitize or validate the data, allowing attackers to insert scripts that run when other users load the page.

Understanding this type of attack is critical in secure software design as it highlights the importance of input validation and output encoding to protect against malicious injection attacks. It underscores the need to ensure that any data sent in forms, particularly those that may be displayed back to users, is treated as potentially harmful until proven safe.