Cross-Site Scripting Hacks in Web Applications

Cross-site scripting (XSS) is perhaps the most well-known web vulnerability that can get your site hacked. XSS occurs when a web page displays user input — typically via JavaScript— that isn’t properly validated. A criminal hacker can take advantage of the absence of input filtering and cause a web page to execute malicious code on any user’s computer that views the page.

For example, an XSS attack can display the user ID and password login page from another rogue website. If users unknowingly enter their user IDs and passwords in the login page, the user IDs and passwords are entered into the hacker’s web server log file.

Other malicious code can be sent to a victim’s computer and run with the same security privileges as the web browser or e-mail application that’s viewing it on the system; the malicious code could provide a hacker with full Read/Write access to browser cookies, browser history files, or even permit the download/installation of malware.

A simple test shows whether your web application is vulnerable to XSS. Look for any fields in the application that accept user input (such as on a login or search form), and enter the following JavaScript statement:

<script>alert('XSS')</script>

If a window pops up that reads XSS, the application is vulnerable.

image0.jpg

There are many more iterations for exploiting XSS, such as those requiring user interaction via the JavaScript onmouseover function. As with SQL injection, you really need to use an automated scanner to check for XSS. Both webInspect and Acunetix web Vulnerability Scanner do a great job of finding XSS. They often tend to find different XSS issues, a detail that highlights the importance of using multiple scanners when you can.

image1.jpg

Another web vulnerability scanner that’s very good at uncovering XSS that many other scanners won’t find is NTOSpider from NT Objectives. NTOSpider works better than other scanners at performing authenticated scans against applications that use multi-factor authentication systems. NTOSpider should definitely be on your radar as a potential primary or secondary scanner. Remember: When it comes to web vulnerabilities, the more scanners the better!

blog comments powered by Disqus
Advertisement

Inside Dummies.com