What is Cross Site Scripting?
Though less common than in the past cross-site scripting is still the most common publicly reported web vulnerability and a threat to surfers. Cross-site scripting attacks are used to steal information from your browser when you visit websites such as ecommerce stores, forums, and even your email accounts.
The insidious nature of cross-site scripting or XSS comes from how the attack occurs. The website you are visiting is actually used by hackers to attack visitors. The malicious code that steals your data is presented in the form of simple links, online forms that you fill out, or just visiting by infected sites.
XSS doesn’t look suspicious to the naked eye because of the variety of methods available to present the malicious attack to users. Common XSS delivery types include:
- JavaScript
- VBScript
- ActiveX
- Flash
- Even HTML!
Each of these types of software code is essential to building websites and perform numerous functions to ensure proper functionality. Attackers search for vulnerable websites and applications to fool users in order to gather confidential data from them. Using XSS fraud, everything from account hijacking, identity theft, changing user settings, redirecting the browser to a different location, or showing fraudulent content delivered by the website being visited is possible.
Attacker’s favorite targets include message board posts, instant messages, and web chat software. Sometimes the unsuspecting user is not required to interact with any additional site or link; just simply viewing the web page containing the malicious code can delivery the payload.
Some ways to protect yourself from Cross Site Scripting attacks are to only follow links from the main website that you wish to visit. Avoid clicking on unsolicited links and hyperlinks even if they look innocent. For instance, if you come across a link that says that it will re-direct you to CNN’s website, instead of clicking on that link, type CNN’s URL into the browser and visit the website on your own. In addition, be sure to keep your plug-ins, such as your Flash Player, and Java up-to-date.
XSS can be executed automatically when you open an email or email attachment, or when you read a guestbook or bulletin board post. If you plan on opening an email or read a post on a public board from a person you don’t know BE CAREFUL. One of the best ways to protect yourself is to turn off JavaScript in your browser’s settings. In Internet Explorer, turn your security settings to high.
It is tough to avoid XSS holes; they have plagued even the most credible websites. Some of the websites that have been infected include:
- FBI.gov
- CNN.com
- Time.com
- Ebay.com
- Yahoo
- Apple
- Microsoft
- MySpace
- Wired.com
What precautions do you take against cross-site scripting attacks? Leave a comment below.
Sources:
- http://en.wikipedia.org/wiki/Cross-site_scripting
- http://projects.webappsec.org/Cross-Site+Scripting
- http://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw
- http://www.cgisecurity.com/xss-faq.html
March 12th, 2010 at 1:54 am
How often do you write your blogs? I enjoy them a lot.
March 16th, 2010 at 3:27 pm
We write new posts a couple of times a week or more when the muses inspires us. -365
March 20th, 2010 at 7:32 am
Can you provide more information on this? sincerely
March 22nd, 2010 at 5:43 pm
There is a lot of information to cover on XSS, given that it is such a prevalent vulnerability on websites.
We will definitely delve deeper in the future and have provided reference links at the end of the post for further reading. -365