Hi Friends,
Greeting!
Apologies for no contacts with you all. Was kinda busy with my very tight schedule. ;P
Nevertheless, who does not find time to explore technology, and geeks like us... needs technology like food(sorry, if I exaggerated a bit).
So, back at my workplace, one of my colleague asked me what cross-site scripting is. Phew! Let me write what I conveyed to her.
Definition:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
---Wikipedia
The definition given above is easily understood with the following pictorial representation:
Let us decipher what it represents.
There is an entry form in your web site with four inputs: First Name, Last Name, Email and Message.
Now, a hacker, instead of providing these details, inserts some client side scripts in these text boxes. These scripts will get stored, persistently or on temporary basis(depending upon the category of XSS: persistent or non-persistent) into database or any other storage medium.
Now these scripts are requested by the application to generate dashboard or any other user(victim) without these scripts being filtered.
Let us visualize a situation in which the above form with malicious data is stored in the database which is later viewed by the administrator of the site.
You all know that most of the applications today use cookie to keep track of all details of users. So in our case, the hacker may redirect the administrator to some other page(created by him, say malicious page) using the scripts and on the page_load function(/document.ready()) of that page(i.e. malicious page), may steal the admin data(cookie) and again redirect the admin to the original page, as if nothing has happened and everything is working as expected.
Hence, the administrator will never come to know that his data is compromised and the hacker has access to the whole server!!
Usage:
XSS are used for mostly two purposes:
Greeting!
Apologies for no contacts with you all. Was kinda busy with my very tight schedule. ;P
Nevertheless, who does not find time to explore technology, and geeks like us... needs technology like food(sorry, if I exaggerated a bit).
So, back at my workplace, one of my colleague asked me what cross-site scripting is. Phew! Let me write what I conveyed to her.
Definition:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
---Wikipedia
The definition given above is easily understood with the following pictorial representation:
There is an entry form in your web site with four inputs: First Name, Last Name, Email and Message.
Now, a hacker, instead of providing these details, inserts some client side scripts in these text boxes. These scripts will get stored, persistently or on temporary basis(depending upon the category of XSS: persistent or non-persistent) into database or any other storage medium.
Now these scripts are requested by the application to generate dashboard or any other user(victim) without these scripts being filtered.
Let us visualize a situation in which the above form with malicious data is stored in the database which is later viewed by the administrator of the site.
You all know that most of the applications today use cookie to keep track of all details of users. So in our case, the hacker may redirect the administrator to some other page(created by him, say malicious page) using the scripts and on the page_load function(/document.ready()) of that page(i.e. malicious page), may steal the admin data(cookie) and again redirect the admin to the original page, as if nothing has happened and everything is working as expected.
Hence, the administrator will never come to know that his data is compromised and the hacker has access to the whole server!!
Usage:
XSS are used for mostly two purposes:
- Bypass access controls
- Impersonate users
Prevention:
After analyzing the ill-effects, it is very important to understand how can we prevent it from occurring in the first place. I found a very comprehensive and detailed article in Microsoft knowledge base. You can find it here
I am afraid I will have to end it here. Please feel free to post comment. (No scripts please!!!)
I wish you all Happy Safe Site Creation!
Cheers! ^_^