Cross-site scripting (XSS) allows criminals to introduce code through dynamic or interactive content such as via a web page, an interactive form, link, newsgroup posting, or any type of content that executes in your browser. HTML (Hyper Text Markup Language) is the common language web pages are delivered in. The code is made up of elements which provide the structure and control interpreted by your browser to present these web pages in a certain way. Elements within the HTML display colors, shapes, point to images, or play animation and even execute scripts. Once malicious code is executed it allows the criminal to take control of your browser. The result could be as insignificant as pop up ads or dramatic as delivering a worm.
The most common type of XSS is what we refer to as a Non-persistent XSS attack. In this type of attack a criminal will present you a specially constructed link for you to click on. It may be presented on a blog, a forum, a web page, an email, or such. Once you click on the link the code will be executed in your browser. It could just generate some annoying pop up ad, or direct change the link to command your browser to begin a download.
The mistake most people make is by thinking because the encoded URL, http://www.security.com/ index.php?name=%3c%73%63%72%69%70%74%3e, is presented there is nothing to hide. They believe the URL that has a friendly name like “security” may present some hidden code. The truth is, unless you can translate the hexadecimal meaning of the link above neither code may be safe. The key is where the link is presented. Any major company website like Microsoft, Symantec, Coca-Cola, Pepsi, Hewlett Packard, Dell and so on will have safe links. Emails from anyone you are expecting a link from because either you requested a link, or they told you they are sending a link, would be safe. Others would require a judgment call on your part. That’s why a good antivirus program with daily updates is so important. Very often it will detect a cross-site script and block it.
The other type of Cross-site scripting is a Persistent XSS attack. This occurs when the malicious code is stored on the server itself and delivered as the normal part of a web page. The most common delivery method is when a criminal is able to inject there malicious code in a database. Then every time the users of that web service view information calling up the data input by the criminal that user’s computer becomes infected.
As an example let’s take a factious site that facilitates the sale of sports memorabilia between its members. Out of respect for its members privacy the site keeps real names, emails and locations hidden. It only displays screen names between members.