Cross Site Scripting Attacks
Synonyms
Definition
Cross-site Scripting (XSS) refers to a range of attacks in which the attacker submits malicious HTML such as JavaScript to a dynamic Web application. When the victim views the vulnerable Web page, the malicious content seems to come from the Web site itself and is trusted. As a result, the attacker can access and steal cookies, session identifiers, and other sensitive information that the Web site has access to.
Theory
The JavaScript language is widely used to enhance the client-side display of Web pages. JavaScript was developed by Netscape as a lightweight scripting language with object-oriented capabilities and was later standardized by the European Computer Manufacturers Association (ECMA). Usually, JavaScript code is downloaded into browsers and executed on the fly by an embedded interpreter. However, JavaScript code that is automatically executed may represent a possible vector for attacks against a user’s environment.
Secure execution of JavaScript code...
Recommended Reading
- 1.CERT. Advisory CA-2000-02: malicious HTML tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html
- 2.CERT. Understanding malicious content mitigation for web developers http://www.cert.org/tech_tips/malicious_code_mitigation.html
- 3.Endler D. The evolution of cross site scripting attacks. Technical report, iDEFENSE LabsGoogle Scholar
- 4.Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting Web application vulnerabilities. In IEEE Symposium on Security and Privacy, Berkeley, CaliforniaGoogle Scholar