« Attacks on Web Applications
A couple great posts about Session Hijacking »

Intro to Cross Site Scripting

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

What is it?

Cross Site Scripting, or XSS has it is commonly referred to, is when an attacker use malicious scripting code to either attack an end user’s computer, impersonate another user or attack a web site. This can be done in several ways from malicious web sites to an attacker injecting code into unprotected site.

Where did the name come from?

The name is misleading because it really only characterizes one type of scripting attack that XSS now encompasses; this is because when it was originally coined the problem was not fully understood and there has been no effort to find a better name [1].

The original threat was that an attacker would use various means to get around the security policy of only code from the host domain could be executed. This turned out to be only a very small subset of a large problem.

Types of attacks

The first type is normally called Dom-based or local XSS. This is where there is a problem in the client-side scripting where it takes part of the url and uses it to produce content on the page. If the input is not sanitized or encode properly this code presents a hole for an XSS attack [1].

The second type, and most common, is when the user’s input is used directly in the creation of a page or response. This presents a huge hole if the server side does not do any filtering or encoding to “clean” the input.

The third type, which is similar to the second type, is when the user input is stored permanently and then redisplayed for other users with encoding it with HTML entities. This is the most powerful because one preach could affect a large number of users.

What to do?

In future post, I will go into more detail about particular attacks and how we as developers can secure our sites and applications from these types of attacks. I will be focusing on how to secure your rails applications.

References

  1. http://en.wikipedia.org/wiki/Cross_site_scripting
  2. http://www.owasp.org/index.php/XSS_Attacks
  3. http://www.cgisecurity.com/articles/xss-faq.shtml
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • DZone
  • Wists
  • BlinkList
  • blogmarks
  • Ma.gnolia
  • NewsVine
  • Slashdot
  • StumbleUpon
  • Technorati

 

This entry was posted on Tuesday, April 17th, 2007 at 3:24 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

  • About Me

    A little something about you, the author. Nothing lengthy, just an overview.

  • Elkinsware

    Take a look at my company site to see the services I offer. Elkinsware

  • Biznik - Business Networking