What is Cross Site Scripting?
By Michael Linn
Though less common than in the past cross-site scripting is still the most common publicly
reported web vulnerability and a threat to surfers. Cross-site scripting attacks are used to
steal information from your browser when you visit websites such as ecommerce stores, forums,
and even your email accounts.
The insidious nature of cross-site scripting or XSS comes from how the attack occurs.
The website you are visiting is actually used by hackers to attack visitors. The malicious
code that steals your data is presented in the form of simple links, online forms that you
fill out, or just visiting by infected sites.
XSS doesn't look suspicious to the naked eye because of the variety of methods available
to present the malicious attack to users. Common XSS delivery types include:
• JavaScript
• VBScript
• ActiveX
• Flash
• Even HTML!
Each of these types of software code is essential to building websites and perform numerous
functions to ensure proper functionality. Attackers search for vulnerable websites and applications
to fool users in order to gather confidential data from them. Using XSS fraud, everything from
account hijacking, identity theft, changing user settings, redirecting the browser to a different
location, or showing fraudulent content delivered by the website being visited is possible.
Attacker's favorite targets include message board posts, instant messages, and web chat
software. Sometimes the unsuspecting user is not required to interact with any additional site
or link; just simply viewing the web page containing the malicious code can delivery the payload.
Cross-site Scripting involves a hacker embedding malicious code into a webpage.
They usually do this by using the comments feature of a webpage to insert a comment that contains
a script. When a user visits the webpage the script is executed in order to create requests that
can be mistaken for those of a valid webpage in order to gather private data.
Some ways to protect yourself from Cross Site Scripting attacks are to only follow links
from the main website that you wish to visit. Avoid clicking on unsolicited links and hyperlinks
even if they look innocent. For instance, if you come across a link that says that it will
re-direct you to CNN's website, instead of clicking on that link, type CNN's URL into the browser
and visit the website on your own. In addition, be sure to keep your plug-ins, such as your
Flash Player, and Java up-to-date.
XSS can be executed automatically when you open an email or email attachment, or when
you read a guestbook or bulletin board post. If you plan on opening an email or read a post
on a public board from a person you don't know BE CAREFUL. One of the best ways to protect
yourself is to turn off JavaScript in your browser's settings. In Internet Explorer, turn your
security settings to high.
It is tough to avoid XSS holes; they have plagued even the most credible websites. Some
of the websites that have been infected include:
• FBI.gov
• CNN.com
• Time.com
• eBay.com
• Yahoo
• Apple
• Microsoft
• MySpace
• Wired.com
The author is a computer security professional with experience protecting small business
and home networks. He also teaches the basics of computer network security at 365 Computer
Security Training where he blogs regularly and creates video training and educational materials
related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain]
More Network Security Articles: • Cyber Security Tips for Small and Medium Business (SMB) • The Use of HoneyPots and HoneyNets to Trick Hackers • Remote Access Authentication Protocols • How Snort's Stealth TCP Port Scanning Works • Email Security • Network Security by Filtering • Methods to Combat Distributed Denial of Service (DDoS) Attacks • What is Network AAA (Authentication, Authorization, and Accounting)? • Multi-Layered Approach to Cyber Security • Denial of Service Attack (DoS) Detection and Mitigation
|