Cross-site Scripting or XSS is the Godfather of attacks against other users. It is by some measure the most prevalent web application vulnerability found in the wild, afflicting literally the vast majority of live applications, including some of the most security-critical applications on the Internet, such as those used by online banks.
XSS stands for Cross-Site-Scripting. It is basically an attack, that is used to execute HTML and Javascript on the web-page. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-Administrator, or even use some social-engineering to manipulate someone into download a virus that you've created. Such as a Botnet, or RAT, maybe even a Keylogger.
Opinions vary as to the seriousness of XSS vulnerabilities. Ask many a hacker or professional pen tester, and they will tell you, “Cross-site scripting is lame.” And in one sense it is. XSS vulnerabilities are often trivial to identify and are so widespread that anyone with a browser can find an XSS bug somewhere in a matter of minutes. The Bugtraq mailing list is congested with attention seekers posting XSS bugs in unheard-of software. And in plenty of cases, XSS vulnerabilities are of minimal significance —not exploitable to do anything particularly worthwhile.
Our next post will focus on various types of XSS vulnerabilities and the possible ways to exploit them. Till then, goodbye.
XSS stands for Cross-Site-Scripting. It is basically an attack, that is used to execute HTML and Javascript on the web-page. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-Administrator, or even use some social-engineering to manipulate someone into download a virus that you've created. Such as a Botnet, or RAT, maybe even a Keylogger.
Opinions vary as to the seriousness of XSS vulnerabilities. Ask many a hacker or professional pen tester, and they will tell you, “Cross-site scripting is lame.” And in one sense it is. XSS vulnerabilities are often trivial to identify and are so widespread that anyone with a browser can find an XSS bug somewhere in a matter of minutes. The Bugtraq mailing list is congested with attention seekers posting XSS bugs in unheard-of software. And in plenty of cases, XSS vulnerabilities are of minimal significance —not exploitable to do anything particularly worthwhile.
Our next post will focus on various types of XSS vulnerabilities and the possible ways to exploit them. Till then, goodbye.
No comments:
Post a Comment