SecurityFocus writes about an emerging application exploit - the “time-bomb.” Basically, it is based on code injection attack which instead of executing upon injection remains stealth, usually in data form, and executes upon user interaction or some other trigger. A more detailed paper by a UK based Next Generation Security Software Ltd. goes into more detail.

What makes this type of an exploit more difficult to deal with and protect against is the time-delay nature. With normal cross-site scripting vulnerabilities which execute code upon injection there is no delay between injection and data or system compromise. This allows the system administrators to quickly restore from a recent backup and also investigate from fresh information. A time-delayed attack is likely to be much more hard to recover from and would be very hard to investigate.

The paper argues that mostly this type of attacks would use a data storage, e.g. SQL storage, but also it is possible to inject code in another data storage, file, or even into a log file and execute at a later time. The paper (linked above) also lists few ways to handle web HTTP requests that may contain such malicous code.