Beware of Cross-Site Scripting (XSS)
Soon after posting an article about the rise of hacker Cross-site Scripting (XSS) attacks, online security magazine Dark Reading was alerted to XSS vulnerabilities on its own site. The holes were quickly plugged and a valuable lesson was learned: don’t assume you’re safe, trust no one, and validate everything.
What may be even spookier for much of the beTech audience is that .edu sites may be particularly juicy XSS targets for hackers (according to Jaimie Sirovich, search engine marketing guru). And with a recent Mitre report placing XSS at the top of the list of Common Vulnerabilities and Exposures (CVE) and plenty of additional resources for the mischevious popping up everyday, you can be sure your site security skills will be put to the test for some time to come.
So what the heck is this XSS stuff? SecurityDocs defines XSS thus:
…an XSS attack is when an attacker manages to inject Java script code or sometimes other code… into a website causing it to execute the code.
What harm could this cause? Well if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script, obviously the attack could do some serious damage. When an attacker creates a malicious link he/she will usually encode the Java Script code in HEX or some kind of encoding in order to try and hide the malicious code.
Websites that are vulnerable to XSS attacks are running some sort of Dynamic Content, Dynamic Content is anything that changes due to user interaction or information stored in a database about a user, things such as Forums, Web Based Email and places where information is submitted are vulnerable to XSS attacks.
As you can see, the user and the host are at risk. Aside from stealing client cookies and login information, XSS can be used to locate and potentially take advantage of vulnerabilities in unprotected web sites. As a web developer, you should be concerned with both scenarios. Your site and your data may be your primary concern, but securing your user’s login and other sensitive information is of paramount importance if you wish to maintain their trust.
What can you do? As a developer, you trust no one and validate all incoming data—especially HTML text coming in on links. As a user, you try to manage JavaScript’s XSS weaknesses with tools like the NoScript extension for Firefox or Stanford’s SafeCache (another Firefox extension). The bottom line for both sides of the server is that XSS is on the rise, so trust no one and keep an eye on those links.
Additional information:
