border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Wednesday, April 27, 2011

Cross Site Scripting (XSS) | The Basics


In this following post we will have some basic look over Cross Site Scripting. Cross 
site scripting is also known as XSS and many times people also abbreviate it as
 CSS (by the way CSS means Cascading Style Sheets. Commonly XSS is web 
application attack and not web server attack, it occurs in web application
which accepts input without validation and sanitization resulting giving an attacker
 chance to run a malicious script. XSS vulnerability occurs in a web application 
due to dynamic nature of a web page which is attained by Java Scripts, VB Scripts, 
ActiveX controls, Flash contents and scripts and sometimes with help of HTML too.
All those scripts and programming languages that are responsible for dynamic contents
 over a web page are also responsible for XSS attacks. An attacker can take advantage
 of XSS vulnerability and execute a malicious Java script, VB Script, ActiveX controls, 
Flash and HTML.

Most security professionals think XSS is lame game since it does not provide any help 
compromising a remote system, but this is not cent percent true. When circumstances
 are right you can surely own a system using XSS attack. Also level of catastrophic 
conditions depends upon where a vulnerable application is used and for what purpose.
 For example a bank’s web application XSS vulnerability can lead to serious online theft
 or an attacker who wants to execute a malicious script over several computers using 
social network. So in fact XSS is not all lame game as compared to SQL injection, 
command injection and directory transversal attacks.

XSS attacks can be classified into following two types,
Reflected Attacks
Stored Attacks

An attack where the inserted code is permanently stored in target server is known as 
Stored XSS Attack. An attack where the injected code needs special route to victim
 like email or hyperlink is known as Reflected XSS Attacks. XSS attacks executes 
codes with help of browser because it supports all scripts and ActiveX controls 
also no matter the attack type is reflected or stored the result of XSS will not differ.

Though this was just basic in future posts we will cover how some real web application
hacking takes place therefore for practice you’ll need vulnerable applications. Following
 is list of vulnerable web applications for practice,
Damn Vulnerable Web Application (DVWA)
Vicnum 
Bodgelt Store
WackoPicko
Jarlsberg

No comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More