How Cross Site Scripting Works

  • 0
  • August 18, 2007

Most people will have heard of XSS (Cross Site Scripting) attacks before. Many of you will understand the basics but may not have seen a real world aplication.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

Today Jurgen Schmidt of Heise Security talks about how some of these attacks work so that we can be more prepared to deal with the worst.

In the example Jurgen has two different links, both opening the same login form. The malicious link opens the form using some JavaScript code that attaches an onSubmit event to the form. Once you enter your password it can then be transmitted to the hacker.

Security isn’t going to become a regular feature on BlogStorm but the ingenuity and simplicity of the script combined with the potential threat prompted me to post about it.

Patrick Altoft

About Patrick Altoft

Patrick is the Director of Strategy at Branded3 and has spent the last 11 years working on the SEO strategies of some of the UK's largest brands. Patrick’s SEO knowledge and experience is highly regarded by many, and he’s regularly invited to speak at the world’s biggest search conferences and events.

Like what you see? Talk to an Expert