Cross site scripting Essay Example for Free

Cross site scripting Essay Cross-site scripting is form vulnerability for computer security which mainly occurs in web applications that accept injection of code by web users who happen to be malicious; such users inject the code into various web pages that are used by other web users. The most common codes that are usually injected by malicious web users include scripts of client side and HTML codes. Cross site scripting (XSS) vulnerability which is exploited is usually used by attackers for by passing the certain access controls, a good example of such bypass is a policy of the same origin. XSS originated from the fact that it is possible for a malicious web site to be loaded into another window or frame and then write or read data using java script on other web sites (Rafail, 2001). Cross site scripting vulnerabilities XSS vulnerabilities have been well exploited to come up with very powerful browser exploits and phishing attacks. XSS performed on websites were about eighty percent of all the recorded securities as indicated by the 2007 statistics. In most cases of attack every thing looks to be in order as far as the end users are concerned, but they are finally subjected to access which is not authorized, financial loss and loss of sensitive data (Rafail, 2001). The cross site scripting can be primarily be categorized into two: reflected and stored. But there is another type of cross site scripting which is not widely known, called DOM. The stored refer to those codes that once injected are stored in the target servers permanently. They can remain permanently in the message forum, database comment field, or in the visitor log. The reflected XSS attacks, are the codes which when injected, the web server is reflected off as a search result, an error message or other forms of responses that may include all or some of the input that was sent to the various servers as request in part. Usually the reflected attacks are sent to the victims through other channels such as electronic mail messages, or through other web servers. Once a user is lured into clicking a link which is malicious or is tricked to submit a form which is specially crafted, the code that has been injected travels via the web server which is vulnerable, the reflected attack is in turn sent back to the browser and the code is then executed as if it originated from a valid server (Rafail, 2001). The consequences of cross site scripting attacks are primarily the same regardless of whether they are DOM based, reflected or stored. The main difference the manner in which the pay load enters the server. Cross site scripting is capable of causing various problems to the end users. The problems range in severity, they can cause annoyance to the end users as well as complete loss of accounts. The most serious attacks of XSS result into disclosure of the users information and data thus giving the attacker to actually hijack the session of the user and thus be in a position to comfortably take over the users accounts. The XSS expose the end users to other damaging attacks such as Trojan programs installations, disclosure of files belonging to the end users, redirecting the web user to other sites or pages, or modification of the contents. A cross site scripting vulnerability that allows the attacker to change certain news item or a press release is capable of affecting the stock price of an organization or decreasing the confidence of the consumer. For example a cross site scripting vulnerability on a site of a pharmaceutical can allow the attacker to alter the information of dosage which might result into over or under dosage (Rafail, 2001). Flaws in an XSS are at times very difficult to establish and get rid of them from web applications. In order to find such flaws, the best method to use is performing a review on the security code and also to perform a thorough search in all possible areas where HTTP input request can easily finds its way into output of the HTML. It is very important to note that various tags of HTML tags can be effectively used in transmission of java scripts which are malicious. Nikto, Nesus plus other tools which are currently available in the market can be used in scanning the websites but they are less effective since they are only capable of scratching the surface and are not capable of eliminating all the flaws in the system (Snake, n. d. ). Preventing XSS attacks Once a web site becomes victim of XSS attack the end user is likely too loose a lot of crucial data and information. It is therefore, very important for people to protect themselves against such attacks. One of the best ways of preventing your self of becoming a victim to an XSS attack is failing to respond to a request that is unsolicited by providing your personal details. Such information should not be provided whether it is over the internet or the phone. Users should know that the internet and e-mail pages that are usually used by the XSS attackers look similar to those used by the legitimate institutions and it might be quite hard to distinguish between the two. So if one believes that the contacts could be valid them they should contact the institution in question themselves. They can do so by either visiting the company’s website and instead of using the provided link one should actually type the address or use a page that you might have book marked earlier. One should initiate the contact using the information that you have verified (Naraine, 2009). Conclusion Cross site scripting is a serious fraudulent activity and once one falls prey to it can end up loosing significantly. It is thus good to increase awareness of such vices so that when people are targeted for such acts they can be able to identify them and subsequently be in a good position to protect them. The end users should also do all that is possible in order to conceal their vital information and ensure that it is only given to the relevant authorities when needed. It is also important to keep scanning their system regularly using valid tools. Reference: Naraine, R. (2009): Phishing without bait: The in-session password theft attack, Retrieved on 1st June 2009 from, http://blogs. zdnet. com/security/? p=2390. Rafail, J. (2001): Cross-Site Scripting Vulnerabilities, Retrieved on 1st June 2009 from, http://www. cert. org/archive/pdf/cross_site_scripting. pdf. Snake, R. (n. d. ): XSS (Cross Site Scripting) Cheat Sheet Esp. : for filter evasion, Retrieved on 1st June 2009 from, http://ha. ckers. org/xss. html.