CROSS SITE SCRIPTING ATTACKS

2:48 PM

Cross-site scripting (XSS)-

Cross-site scripting (XSS) is a type of security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by site users. A cross-site scripting vulnerability may be used by attackers to bypass access controls. Cross-site scripting carried out on websites is a major-security concern.


Xss Attack Types-

Persistent 
The persistent XSS is more popular. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A reflected attack is typically delivered via email or a neutral web site. A normal -looking URL, pointing to a trusted site but in reality contains the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script.

Non-persistent
The persistent XSS vulnerability is a more malicious variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping
Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website. Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of a client-side worm. The methods of injection can vary a great deal; in some cases, the attacker may not even need to directly interact with the web functionality itself to exploit such a hole. Any data received by the web application that can be controlled by an attacker could become an injection vector.

Protecting from XSS Attacks-

Contextual output encoding of input strings and paramaters
The primary defense mechanism to stop XSS is contextual output encoding/escaping. There are several different escaping schemes that must be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding..

Cookie security
Besides content filtering, other imperfect methods for cross-site scripting mitigation are also commonly used. One example is the use of additional security controls when handling cookie-based user authentication. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies.

Disabling scripts
Some browsers or browser plugins can be configured to disable client-side scripts Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effective,such as implentation of security zones.

Specifically all major banking and commercial sites should implement XSS attack protection coding and applications in order to secure their sites from hackers and intruders, setting such protection will thwart attacks aimed at innocent visitors who may use personal credentials to use such sites.

RETURN

0 comments: