ghacks Technology News

Cross Site Scripting

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.

Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as “john” and read a message by “joe” that contained malicious JavaScript in it, then it may be possible for “joe” to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via “cookie theft” are explained in detail below.

Source: “The Cross Site Scripting FAQ”. Click link to read the whole faq.

Update: Users who are looking for protection against Cross Site Scripting attacks may want to check out the excellent NoScript add-on for the Firefox web browser. XX protection is automatically enabled after installation. The extension for Firefox blocks untrusted websites from injecting scripts into trusted websites, which is an excellent way of protecting users from XSS attacks.

cross site scripting protection

Additional information about Cross Site Scripting are available on Wikipedia. The external links section on the site is especially useful for researchers and security interested users.

Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.

Related Articles:

Google Implements Cross-site Request Forgery Protection
RequestPolicy For Firefox Gives You Control Over Cross-Site Connections
CsFire, Protects Against Malicious Cross-Domain Requests In Firefox
Get to know Linux: Bash scripting basics
Google fixes YouTube xxx spam flaw



About the Author:Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook or Twitter.

Author: , Thursday October 27, 2005 -
Tags:, , , ,

Previous Post: Two quick and dirty webcam searches

Next Post: The IP: The housenumber of your Computer

Click on the following link(s) to read more about Browsing, Security

Leave a Reply   Follow Ghacks   Subscribe To Comment Rss

Subscribe without commenting

 Ghacks Technology Newsletter 
Ghacks Daily Newsletter

Recent Posts


Follow This Blog

Ghacks Newsletter
RSS Feeds
Google+ Page
Facebook Fan Page
Twitter



Popular Articles

Popular Searches

Popular Tags

Topics

Links

About Ghacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular latest tech news sites on the Internet with five authors and regular contributions from freelance writers.

Services

Authors

Martin Brinkmann
Melanie Gross
Mike Halsey
Ryan D. Lang
Jack Wallen

© 2005-2012 Ghacks.net. All Rights Reserved. Privacy Policy - About Us