December 30, 2010

Cross Site Scripting (XSS)

It is the vulnerability in the web applications that will inject malicious scripts in to the websites viewed by other users. This may result in hacking of the user details and misuse of it to very small issues like leading to different sites which can be easily prevented by a good Internet Security Program.




"Cross-site scripting" originally refers to the act of loading the third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain

Types of Cross Site Scripting :

Non-persistent and Persistent :

Non-Persistent is by far the most common type that shows up the data provided by a client most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request. It is important to realize, however, that a third-party attacker may easily place hidden frames or deceptive links on unrelated sites and cause victims' browsers to navigate to URLs on the vulnerable site automatically—often completely in the background—and in such a case, the attacker can intrude into the security context that rightfully belonged to the victim and can make changes to it. Best example is the site search engine.

 Persistent XSS is far more devastating than Non persistent. It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages  that are viewed by other users in the course of regular browsing, without proper HTML escaping. It is more dangerous because the malicious code injected by the user will be extracted automatically without targeting particular victims or using third party websites. Here attacker exploits the web functionality and any data received by the web application (via email, system logs, etc.) that can be controlled by an attacker could become an injection vector in some cases of injection method. 

So be careful while opening any site that you don't know because just by opening that page will leave some malicious scripts on your computer that may run automatically depending on its type. Also with the advent of web 3.0 applications flaws have become more easier to catch and attackers are improving the techniques of attacking using XSS.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More