What is Cross Site Scripting?
XSS is a type of injection hack - HTML injection to be exact. It occurs when malicious JavaScript is submitted to a web application at point that will allow it to be reprinted on a page. The JavaScript becomes embedded in a page created by the web app and subsequently runs in a user's browswer. Since the script has access to any cookies created by the web app since the script actually came from a page generated by the app. This means that cookie information (like session data) could be sent to the hacker, allowing them to act as you in the application effectively stealing your identity. If an ecommerce site like ebay or Amazon.com was vulnerable to this kind of attack (note - there is no known current vulnerability), an attacker could potentially order merchandise using your credit card and ship it to themselves.
Who is vulnerable?
Any web application that takes user input and re-displays it is potentially vulnerable.
How Can These Attacks be Prevented?
As with SQL injection, the best way to prevent this hack is to validate all user input. If validation is done on the client side, it must also be done on the server side since it is easy to bypass anything that is completed client side. It is also good to run output through functions like htmlentities() or htmlspecialchars() in PHP. Java is a little more difficult. OWASP suggests that you use a struts output mechanism like
Resources
- Security Now episodes 85 and 86
- CWE/SANS Top 25
- XSS - OWASP
No comments:
Post a Comment