What is Cross Site Scripting?

Cross-site scripting (XSS) allows criminals to introduce code through dynamic or interactive content such as via a web page, an interactive form, link, newsgroup posting, or any type of content that executes in your browser. HTML (Hyper Text Markup Language) is the common language web pages are delivered in. The code is made up of elements which provide the structure and control interpreted by your browser to present these web pages in a certain way. Elements within the HTML display colors, shapes, point to images, or play animation and even execute scripts. Once malicious code is executed it allows the criminal to take control of your browser. The result could be as insignificant as pop up ads or dramatic as delivering a worm.

The most common type of XSS is what we refer to as a Non-persistent XSS attack. In this type of attack a criminal will present you a specially constructed link for you to click on. It may be presented on a blog, a forum, a web page, an email, or such. Once you click on the link the code will be executed in your browser. It could just generate some annoying pop up ad, or direct change the link to command your browser to begin a download.

The mistake most people make is by thinking because the encoded URL, http://www.security.com/ index.php?name=%3c%73%63%72%69%70%74%3e, is presented there is nothing to hide. They believe the URL that has a friendly name like “security” may present some hidden code. The truth is, unless you can translate the hexadecimal meaning of the link above neither code may be safe. The key is where the link is presented. Any major company website like Microsoft, Symantec, Coca-Cola, Pepsi, Hewlett Packard, Dell and so on will have safe links. Emails from anyone you are expecting a link from because either you requested a link, or they told you they are sending a link, would be safe. Others would require a judgment call on your part. That’s why a good antivirus program with daily updates is so important. Very often it will detect a cross-site script and block it.

The other type of Cross-site scripting is a Persistent XSS attack. This occurs when the malicious code is stored on the server itself and delivered as the normal part of a web page. The most common delivery method is when a criminal is able to inject there malicious code in a database. Then every time the users of that web service view information calling up the data input by the criminal that user’s computer becomes infected.

As an example let’s take a factious site that facilitates the sale of sports memorabilia between its members. Out of respect for its members privacy the site keeps real names, emails and locations hidden. It only displays screen names between members.

Advertisements

14 thoughts on “What is Cross Site Scripting?

  1. whoah this weblog is excellent i really like studying your articles.
    Stay up the great work! You realize, a lot of individuals are searching around for this
    information, you can aid them greatly.

  2. Hello, Neat post. There’s a problem along with your site in internet explorer, may test this?
    IE still is the market leader and a large section of other people will
    miss your great writing because of this problem.

    • Please post the problem you are experiencing and your browser version so we can fix it. The blog is optimized and tested with IE 10, Safari 5.1, Chrome 30.0 and Firefox 24.0. We have been unable to replicate any issues with these browsers.

      Thanks

  3. Thank you for another great post. The place else may anyone get that type of info in such an ideal means of
    writing? I’ve a presentation subsequent week, and I’m on
    the search for such info.

  4. I think everything published made a great deal
    of sense. But, think about this, what if you added a little content?
    I am not saying your content is not good., but
    what if you added a title that grabbed people’s attention? I
    mean What is Cross Site Scripting? | techblahblah is kinda plain. You ought to glance
    at Yahoo’s front page and note how they create post titles to get viewers interested.

    You might try adding a video or a pic or two
    to grab readers excited about everything’ve written. In my opinion, it would make your posts a little livelier.

  5. Site architecture is another thing you may be able to control depending on how or who set up your site.

    In a totally unregulated industry with no recognized certifications or professional
    association to determine who can call themselves an “SEO Expert”, business owners are on their
    own to do their own investigating and due diligence to determine
    who really can deliver results for their business.
    You can search for the keywords that are the most searched by the readers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s