July 09, 2008

What is Cross Site Scripting (XSS)?

Web sites have become quite complex and dynamic in nature these days. They have incorporated features that increase user experience and make browsing enjoyable. With new features come new troubles too. One major and popular threat is "Cross Site Scripting" but security professionals call it XSS. In this article, I will explain what it is and how as a netizen, avoid an attack.

So, what is XSS? Cross Site Scripting (XSS) is said to occur when a web site collect malicious data from a user. The attacker adds the malicious code in a form or link. Usually the code is encoded in HEX or other encoding methods. For a normal user the link or form appears normal and part of the web site. On accessing these links, the data about the user collected. Along with this, the code creates an output that looks genuine. For example, Orkut user would have received java script that can be executed through the Orkut scrap box. The script gives interesting output that look harmless but, it is easy for the attacker to hijack my session and use it.

XSS can be in the form of JavaScript, VBScript, ActiveX, HTML, or Flash. And using XSS you can hijack accounts, manipulate with user settings, steal cookies or poison them, and also do false advertising. This attack can even occur on a secured site too. The lock on your browser does not mean that you are secure for XSS!

So what do we do? As a common user here are few things that you can do to prevent XSS attack:
  • Always follow links from the main website. For example, if you see link to news article of site X on site Y. It is better to open site X, use its menu or search feature to get the news or article.
  • Think twice before you click on ads placed on less know web sites. If an ad interests you, google it and view the site!
  • Be careful in opening your emails, its attachments etc.
  • Keep internet security at high level in your browser.
These actions might help you from XSS attack. At the same time, browser vendors like Mozilla and Microsoft have started their war against this attack. IE8 team recently demonstrated their XSS filter on IEblog. From Firefox, you already have add-ons that help you detect and prevent XSS.

No comments :