Page 54 - Cyber Warnings

P. 54

Security Basics: What Is A Cross-Site Scripting Attack?


Cross-site scripting attacks are one of the most exploited vulnerabilities on
the web. In this article we explore XSS attacks and how to avoid them.




Once, the web was static and information moved in one direction: from the server to the web
browser and thence to the site visitor, but the web has changed. Now almost all sites allow
users to submit content, even if it’s just in a contact form.

By entering their own content, users change the page that is delivered to their browser. Dynamic
sites are what made the web what it is today, without them eCommerce, conversation, and data
submission via web pages would be impossible, but allowing user submitted content to
influence what appears on web pages introduces a vulnerability that doesn’t exist on static web
sites: the cross-site scripting attack, also known as XSS attacks, or, less commonly, CSS
attacks.

By some estimates, cross-site scripting attacks have overtaken even buffer overflows as the
hacker’s tactic of choice. They are simple enough to carry out if you have a modicum of coding
ability, and the vulnerability exists on thousands of sites.


If you run a website, it’s worth understanding how cross-site scripting attacks work.

Consider the fairly simple example of a blog’s comment section. Users enter their comment, hit
the submit button, and what they wrote is served back to them. It’s also served to everyone else
who looks at the thread. That’s fine if the comment just contains HTML, but in some cases, web
applications don’t properly sanitize user input.

If instead of just a comment, the user entered some Javascript between