Random Posts

Wednesday, September 6, 2017

Cross-site Scripting


Have you ever gotten this message when logging on to a site? 
     If so, do you know what it means? I didn't. Cross-site Scripting is a type of attack that can be carried out to compromise users of a website where the attacker uses a website to deliver a potentially malicious JavaScript code to an end user.
     To understand the Cross-site Scripting vulnerability you have to first understand the basic concept of the Same Origin Policy (SOP), one of the most important security principles of every web browser. This SOP forbids websites to retrieve content from pages with another origin. By forbidding access to cross-origin content random websites cannot not read or modify data from your Facebook page or PayPal account, for example, while logged in to them.

An example:
https://example.com/index.html...can access content from
https://example.com/about.html

https://attacker.com/index.html...cannot access content from
https://example.com/about.html.

     Cross-site Scripting (XSS) is a way of bypassing the SOP security so that when HTML code is generated and the user input is not sanitized, an attacker could insert his own HTML code, but the web browser will still show the user's code. The attacker can easily insert Javascript code which would run under the real site.
     What this means is that the attacker would then be able to gain access to users cookies, session IDs, passwords, private messages etc. They can read and access the content of a page for any attacked user and therefore all the information displayed to the user. The attacker may also compromise the content shown to the user.

No comments:

Post a Comment