How Cross Site Scripting Works

  • 0
  • August 18, 2007
Patrick Altoft

Patrick Altoft

Director of Strategy

Most people will have heard of XSS (Cross Site Scripting) attacks before. Many of you will understand the basics but may not have seen a real world aplication.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

Today Jurgen Schmidt of Heise Security talks about how some of these attacks work so that we can be more prepared to deal with the worst.

In the example Jurgen has two different links, both opening the same login form. The malicious link opens the form using some JavaScript code that attaches an onSubmit event to the form. Once you enter your password it can then be transmitted to the hacker.

Security isn’t going to become a regular feature on BlogStorm but the ingenuity and simplicity of the script combined with the potential threat prompted me to post about it.

Free of charge. Unsubscribe anytime.