Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps

Published on: 8/17/2014
Topic: Web Application Security
Cross Site Scripting (XSS) is the act of injecting malicious scripts or other HTML code into a web page that runs on the client browser and cause damage to your web site users. Mostly it works with the trusted user input (e.g. feedback comments) and when such information is rendered as part of web page HTML without validating the user provided contents thus all other users who visit this web page may become victom of XSS attack.


Table of Contents

Overview

Depending on the malicious script, it may execute automatically in web browser when the page is loading or it may trigger with a user action. Few web browsers like Internet Explorer put such infected web pages under suspected category and give warnings to user if any scripting code is being executed while web page is rendering but many Cross Site Script works by tricking with users and encouraging them to click on a link/image etc. that leads to malicious action without users being aware of such actions.

Simplest example to understand how it works: If you enter following JavaScript code in a Comment section of webpage, then next time whenever the page will load in browser it will execute the java script and prompt user with “hello” message:

<script>alert(‘hello’);</script>

Injecting code with Img tag: <img src=”javascript:alert(‘hello’);”>

Tricking users could be as simple as sending a interesting jpg (image) file to a user by email or putting a link in comment and embedding the malicious script into the jpg/image file. Many users does not see any risk with a image file but as soon as they click on the link from attacker’s source their security may be compromised.


Continue Reading: Scope of Cross Site Scripting (XSS) Attack