Thursday, November 15, 2012

What is Cross-Site Scripting (XSS)


There are lots of vulnerabilities in the web applications today. One of the most popular web application vulnerability is Cross-Site Scripting (XSS). Cross-Site Scripting (XSS) is one of the top 10 Web Application Security Risks for 2010 by OWASP. So what is Cross-Site Scripting (XSS)?  Cross-Site Scripting (XSS) is one of the injection technique, like sql injection. But Cross-Site Scripting (XSS) injects a malicious scripts like VB, JS, etc. The malicious scripts are injected into a trusted web site.


Cross-Site Scripting (XSS) allows the attacker to execute a dangerous scripts in the victim’s browser. Then the script can access victim’s crucial data, like cookies, session, cache, etc. Attacker also can rewrite the HTML page.


There are 3 basic XSS flaws, they are reflected, stored and DOM based.

Reflected
Reflected is most common type of the XSS flaw that found in the web applications. The injected code will reflected off the web server. The attacker attacks victims via another route, such as email message or other web server. Attacker will sends a malicious link to the victims.

Stored
This ismore devastating variant os XSS. Attackers can inject malicious code in the web applications and the injected code is permantly store on the target servers. This is a dangerous attack. For example attacker leaving malicious code in a blog’s comment of vulnerable blog web application. The malicious code will execute in the browser of the other blog visitor.

DOM based.
DOM is a World Wide Web Consortium (W3C) specification. DOM is a object model for representing XML and HTML structures. Attacker payload is executed as the result of modifying the DOM in the victim’s browser. Like the other XSS, DOM based XSS can be used to steal victim’s data or hijack the victim’s banking account.

Cross-Site Scripting (XSS) is one of the popular technique of penetration. So you must be careful and use a internet security software to protect you from hacker.

No comments:

Post a Comment