Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

What is Cross Site Scripting?

Though less common than in the past cross-site scripting is still the most common publicly reported web vulnerability and a threat to surfers. Cross-site scripting attacks are used to steal information from your browser when you visit websites such as ecommerce stores, forums, and even your email accounts.

The insidious nature of cross-site scripting or XSS comes from how the attack occurs. The website you are visiting is actually used by hackers to attack visitors. The malicious code that steals your data is presented in the form of simple links, online forms that you fill out, or just visiting by infected sites.

XSS doesn't look suspicious to the naked eye because of the variety of methods available to present the malicious attack to users. Common XSS delivery types include:

JavaScript
VBScript
ActiveX
Flash
Even HTML!

Each of these types of software code is essential to building websites and perform numerous functions to ensure proper functionality. Attackers search for vulnerable websites and applications to fool users in order to gather confidential data from them. Using XSS fraud, everything from account hijacking, identity theft, changing user settings, redirecting the browser to a different location, or showing fraudulent content delivered by the website being visited is possible.

Attacker's favorite targets include message board posts, instant messages, and web chat software. Sometimes the unsuspecting user is not required to interact with any additional site or link; just simply viewing the web page containing the malicious code can delivery the payload.

Cross-site Scripting involves a hacker embedding malicious code into a webpage. They usually do this by using the comments feature of a webpage to insert a comment that contains a script. When a user visits the webpage the script is executed in order to create requests that can be mistaken for those of a valid webpage in order to gather private data.

Some ways to protect yourself from Cross Site Scripting attacks are to only follow links from the main website that you wish to visit. Avoid clicking on unsolicited links and hyperlinks even if they look innocent. For instance, if you come across a link that says that it will re-direct you to CNN's website, instead of clicking on that link, type CNN's URL into the browser and visit the website on your own. In addition, be sure to keep your plug-ins, such as your Flash Player, and Java up-to-date.

XSS can be executed automatically when you open an email or email attachment, or when you read a guestbook or bulletin board post. If you plan on opening an email or read a post on a public board from a person you don't know BE CAREFUL. One of the best ways to protect yourself is to turn off JavaScript in your browser's settings. In Internet Explorer, turn your security settings to high.

It is tough to avoid XSS holes; they have plagued even the most credible websites. Some of the websites that have been infected include:

• FBI.gov

• CNN.com

• Time.com

• eBay.com

• Yahoo

• Apple

• Microsoft

• MySpace

• Wired.com


The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain]

More Network Security Articles:
• Cyber Security Tips for Small and Medium Business (SMB)
• The Use of HoneyPots and HoneyNets to Trick Hackers
• Remote Access Authentication Protocols
• How Snort's Stealth TCP Port Scanning Works
• Email Security
• Network Security by Filtering
• Methods to Combat Distributed Denial of Service (DDoS) Attacks
• What is Network AAA (Authentication, Authorization, and Accounting)?
• Multi-Layered Approach to Cyber Security
• Denial of Service Attack (DoS) Detection and Mitigation

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268