Cross Site Scripting (XSS): An Overview
(Page 1 of 5 )
A web application vulnerable to cross-site scripting (XSS) allows a user to inadvertently send malicious data to him or herself through that application. Attackers often perform XSS exploitation by crafting malicious URLs and tricking users into clicking on them. Learn about the server application risks that cross-site scripting can pose and some possible solutions available to you.
Cross-site scripting (XSS) attacks are a type of attack in which a variety of techniques are used to attempt to execute malicious script code by injecting it into form input, query strings, or cookies. If an attacker can successfully inject script into one of these areas, and your code processes it without validating or filtering the data, the script code can be executed, exposing your application data and more.
Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS) and cross site scripting. Some security people refer to Cross Site Scripting as XSS as well as CSS. If you hear someone say "I found a XSS hole", they are talking about Cross Site Scripting for certain.
XSS vulnerabilities are very often misunderstood and not given the due concern and attention they deserve. Simply put, a web application vulnerable to XSS allows a user to inadvertently send malicious data to him or herself through that application. Attackers often perform XSS exploitation by crafting malicious URLs and tricking users into clicking on them. These links cause client side scripting languages (VBScript, JavaScript, etc.) of the attacker’s choice to execute on the victim’s browser. XSS vulnerabilities are caused by a failure in the web application to properly validate user input. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on.
The most common web components that fall victim to XSS vulnerabilities include CGI scripts, search engines, asp pages, forms, interactive bulletin boards, and custom error pages with poorly written input validation routines. Additionally, a victim doesn’t necessarily have to click on a link; XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags.
Next: The Threats of Cross-site Scripting >>
More Windows Security Articles
More By Lisa Welch
