Cross Site Scripting (XSS)

Cross Site Scripting is a condition in which data that is sent in a request to a web server, at some point either immediately or at a later time, is re-displayed to a user, typically unaltered. If this data contained any HTML syntax it would be interpreted by the user’s web browser. This data can contain malicious content to compromise the victim’s machine via web browser exploits, exploit domain trust, or display erroneous information or pages that may trick users in to supplying information to another site. Cross Site Scripting can contain harmful JavaScript that will send their session credentials to another web server. Exploitation of Cross Site Scripting can be intended to trick or fool a victim, such as presenting false “real world” information such as news that looks as if it had come from an otherwise legitimate source.

This content can even contain login forms that if submitted will send the login credentials to a hacker owned web server instead of the “real” application server.

There are several ways Cross Site Scripting conditions can be exploited:

Presenting False Information: It is possible to exploit a XSS condition to present “false” information from an otherwise legitimate source. This means that a user could be tricked into thinking for example that a news item is true in order to trick a victim in believing something.

Presenting False Form: Present a false login screen to trick victims into sending sensitive information such as login credentials to a “hacker owned” web site.

Exploit Browser Vulnerabilities: It is possible to use an XSS condition to exploit web browser related security issues to compromise or DoS a victim’s machine. This can be done by tricking a victim to going to a legitimate web site that contains a XSS vulnerability. Since the victim will likely think that the web site is safe, they will most likely not have any issues following the potentially malicious link.

Exploit Client/Server Trust Relationships: It is possible to leverage a XSS condition to compromise the trust relationship between the web application and the web browser to obtain sensitive information about the user’s session such as the session cookies.

Some people think that Cross Site Scripting is not a serious issue because it requires some action by the user (also known as the victim) to perform an action such as clicking on a link or submitting a form to work. Some people even argue that it is the responsibility of the user and not the application owners to ensure that they know what they are clicking on. I think that is very easy for someone with a degree in Computer Science to believe in that argument. But most of the world is not as computer literate as the average Computer Science major. In fact, everyone reading blog probably knows someone who has a computer and is on the internet, and who will click on anything and follow any instructions as long as they think it will let him see or download files or images they want.

Cross Site Scripting (XSS)

Subscribe to TechChase via Email

Similar Posts

Like This Site

Best Hosting Plans

Further Reading

Temple Run Android

Google Extends Free calling to US and Canada

Facebook Video Call

Yahoo Web Domain Registration

Transcend 16GB Pen Drive giveaway!

Celluon evoMouse – the evolution of the mouse

Why you must buy a Moto Droid Razr

Avast Free Antivirus: how to install, a user guide

The Difference between Dofollow and Nofollow Links

Free AVG Antivirus for Windows

Cross Site Scripting (XSS)

Subscribe to TechChase via Email

Similar Posts

Like This Site

Popular Posts

Best Hosting Plans

Further Reading