One of the most common forms of Web application vulnerability is Cross-site Scripting. This security vulnerability allows attackers to implant malicious scripts into websites. The scripts will execute in the browsers of visitors to the site, within the hosting website security zone. This provides the script with the correct privilege level to access and modify secure data.
Cross-site Scripting is among the most widespread attack methods used by hackers. It is also referred to by the names XSS and CSS. Note that in this case, CSS is not the same as Cascading Style Sheets, which is the name of a style sheet language for Web pages.
Possible consequences of Cross-site Scripting include having a user account hijacked (also called cookie theft), the redirection of users to a fraudulent website, or the display of false information on the hosting website. In addition to the threat of secure data being compromised, the trust level of users can be seriously damaged by Cross-site Scripting.
How Does an XSS Attack Occur?
Most modern Web applications are dynamic in nature, allowing users to customize an application website through preference settings. Dynamic web content is then generated by a server that relies on user settings. These settings often consist of personal data that needs to be secure. Unfortunately, dynamic websites are most vulnerable to XSS attacks on secure data.
Web pages that pass data to and from a database are especially vulnerable to XSS attacks. This includes pages with login ids and passwords, shopping carts that access credit card data, personal information forms, etc. Retail, health care, government and financial Web applications are especially at risk.
Malicious HTML, JavaScript, VBScript, Flash or ActiveX scripting code can be used for XSS. Once inserted into an unsecured dynamic website, the embedded script is able to gather private data, create user requests to the Web application, steal user cookies or launch a virus on the user’s computer. The script could also cause the user to redistribute malicious content across the internet.
Once a hacker is armed with sufficient knowledge to write malicious code in a dynamic language such as JavaScript or HTML, the code can be easily tested through a browser on a dynamic website
According to CERT Coordination Center, a federally funded research and development center, the lack of control over user inputs puts dynamic websites at risk. Unless proactive steps are taken to guard against malicious input, a Web application cannot guarantee the security of its output.
Don’t Ignore the Threat of Cross-Site Scripting
No comments:
Post a Comment