Results 1 to 9 of 9

Thread: XSS/Cross side scripting

  1. #1
    Join Date
    Aug 2004

    XSS/Cross side scripting

    What is Cross side scripting? What can be done with it & how do we prevent people doing against us?

    If any one can share their knowledge on this, it will be useful.

    Thank you

  2. #2
    Join Date
    Aug 2004
    I tried its not working. any specific links.

  3. #3
    Senior Member
    Join Date
    Mar 2004


    I try to give you a definition, how I understand XSS (cross site scripting, CSS).

    Nowadays, it is common to allow a client to interact with the (web)server -
    this is part of the idea known as "deliver dynamic content".

    This interaction might allow the client to transfer malicious pieces
    to the server (eg. into guestbooks). These malicious pieces can gather
    information about another users session, can link to other websites
    (which use some known vulnerability, popular in relation with IE).

    So, XSS is the procedure to add malicous content to a server.
    A XSS vulnerable server can be understood as a server that allows for
    client input and its output without checking it for malicious content
    (well, as far as I understand it abstractly ).

    But I also want to put in here the issue of "[SQL] code injection".
    Meaning, that the interaction with a server allows a malicious
    user to gather/modify/delete information of a database (basically).
    This I would like to mention, because the defense mechanisms for
    XSS might be similiar to the ones for code injection.


    So, what XSS is capable to do is, for example
    - take over other users sessions
    - connect users to a malicious server
    - social engineer a user to access a certain URL
    - elevate own permissions
    - ...

    a starting point for how to defend

    There are very well written documents out there describing how to
    perform XSS. But since you are mainly asking of how to prevent such
    XSS, I suggest do to do following ( I will check for a good link describing
    how to defend XSS[1]):

    if interaction with the user really is needed, try always
    to verify the input prior to using it. This is valid in the
    context of XSS as well as "code injection".

    Verifying means to deny any input, except the expected ones.

    In a form: there is no need for { ', ", |, \, %, <, >, /, &, # } etc.
    in a "Enter your name: "-field. I suggest: Do NOT verify it on the client,
    but on the server. All javascript verification methods are
    obsolete. I would NOT try do exclude "chars", but allow only for "chars" I expect
    (sorry for this bad formulation), ie. use the same strategy as suggested with
    firewalls: deny everything, then open it step-by-step.

    Unfortunately, you sometimes might have to allow for certain characters,
    which potentially can be used for XSS/code injection. Then, you have to be very
    careful and check the input eg by comparing with a list of allowed inputs.


    [1] http://www.technicalinfo.net/papers/CSS.html
    It is written by Gunter Ollmann.
    I had just an "overall-read" at it, but it looks pretty understandeable and correct.

    /edit: deleted a part about including code injection in general
    into the definition of XSS.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Hey Hey....

    Have you tried google for yourself anban? It might be time to attempt to learn yourself instead of asking us to spoon feed you (which you seem to do a lot).. Anyways... You'd have much better luck with a google search if you refered to it as Cross Site Script (not Cross Side Scripting)....

    As far as a website.. I'd highly suggest checking out Cgisecurity.com.... Their faq is quite a read

    "What is Cross Site Scripting?"

    Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.
    The rest of the read is very interesting and quite simplistic... and there are examples as well as several good links near the bottom of the page.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Join Date
    Aug 2004
    HTRegz, I am sorry. I am learning.
    sec_ware can you suggest sites where I can learn about XSS.

  6. #6
    Senior Member
    Join Date
    Jul 2002
    XSS vulnerability and more...

    Peace always,
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds

  7. #7
    Senior Member
    Join Date
    Oct 2004
    HTRegz thanks for a new lesson "never refer a newbie to google" coz some senior member might think that you are not good enough to refer them to google as if refering to google is there personal right anyways thanks for red ones.
    nobody is perfect i am nobody

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Anban that was a really bad question see if you only want a definition you can get it from google.
    there is no point in posting this here.
    Anyways if you want anything more then definition then i suggest you to constantly monitor http://packetstormsecurity.nl and http://zone-h.org advisory.
    Read them carefully and try to understand what they are saying about different vulnerabilities(including XSS) now there will be terms that you won't understand google them if you still don't understand something post it here that will be great for all of as.
    As far as XSS goes if you want knowledge of how it works i suggest you also monitor different exploits released for this.
    nobody is perfect i am nobody

  9. #9
    Junior Member
    Join Date
    Dec 2004
    XSS is a social engineering trick... so you put some HTML code in a form, and you get this HTML code as feedback... for examole: a form asks "what's your name" and you write "blabla" then you get "hello blabla" so if you write something containing javascript codes, you will get html code with your injected javascript... but you may think from the tutorials that you can steal any cookie of any user you want when doing such an injection... it's not!!! because you could change your html code as well, so the same effect must happen... but you prepare an injected page, then you send the url to your victim, and he opens it, then the injected code is executed, that the XSS... And it is called XSS because there's already a CSS, which stands for Cascade Style Sheet to edit webpage styles.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts