December 08, 2008
Cross Site Scripting Attacks
Online intruders are experimenting with an extensive arsenal of hacking techniques. Aside from breaking into personal computers, these internet criminals are also looking to penetrate high-powered web servers and compromise sensitive data such as Social Security numbers, bank account details and other personal information. Cross site scripting is a method commonly used to perform the attack.
What is Cross Site Scripting?
Cross site scripting, often referred to as CSS or XSS, is a hacking technique that takes advantage of web-based applications, allowing an intruder to distribute malicious content and obtain critical data from the victim. A web page consists of HTML programming which is generated by a server and then translated by a browser. A developer creating static pages has control over how they are interpreted by a browser. This isn't the case with a dynamic web page, essentially giving a malicious user the power to manipulate the scripting without the victim noticing in enough time to react.
Most websites today thrive on sophisticated applications that interact with users and cover specific needs. At the same time, many of these dynamic sites suffer from numerous vulnerabilities and leave companies wide open to attacks. Cross site scripting gives an attacker the power to insert malicious ActiveX, HTML, Flash, JavaScript of VBScript into a dynamic web page. This is done to trick the user into executing the script and allows the intruder to access the data they are after. This exploit is often performed to steal confidential information, steal or modify cookies, modify requests and even execute malicious code on the victim's machine. When the latter occurs, the data is typically in the form of a hyperlink that contains the malicious code. Once clicked, the infection can be distributed over the internet.
Using this technique, a hacker can create and infect machines with a custom made URL all by utilizing a browser to test the response of a dynamic web page. With the basic knowledge of JavaScript, HTML and a dynamic programming language such as PHP, the attacker can easily create a rogue URL and launch an XSS attack on a vulnerable website.
Is Your Site Vulnerable?
One of the most damaging aspects of cross site scripting is that you typically will have no knowledge of the attack until its too late. To learn if your site is vulnerable, you could run a scanning utility which will comb your dynamic pages in search of potential security issues. Such a tool will indicate the scripts and URLs susceptible to the attack. From there you can make the needed corrections and secure your website. A reliable scanner will seek out cross site scripting and other common vulnerabilities such as SQL injection.
The high number of compromised websites is indication cross site scripting is one of the internet's biggest flaws. This attack can occur on any web-based application that openly accepts input and generates output without the proper validation. The good thing is that the attack can only cripple sites powered by dynamic scripting languages opposed to a static pages strictly built with HTML. The bad thing is that simple static pages are mainly a thing of the past.
Popular LinksCategories: General |
Tags: malicious ActiveX,
XSS,
VBScript,
JavaScript,
HTML,
site scripting,
hacking,
sensitive data,
Flash,
dynamic web page,
CSS,
cross site scripting
Post comment: