XSS stands for Cross Site Scripting. XSS is a hacking technique for web application. It allows the user to perform a harming attack. It is a term that has given to the web pages that allow the user to supply some data capable of altering the page for the viewer. The code is vulnerable to XSS where ever it uses input parameter in the output HTML stream returned to the client.
The first thing we should concern about is: – what could an attacker be trying to gain by using XSS?
1. Theft of accounts/services: The first thing that comes to mind when XSS is mentioned is cookie theft and account hijacking. One can use the cookie for account hijacking. This occurs when the cookie is used to hold all of the verification information on the client side and nothing is tracked on the server.
2. User tracking/static: Using XSS it is possible to gain information on a sites web surfer population.
3. Browser/user exploitation: XSS exploitation also provides venerable alert script. A simple alert box is an example of the type of attacks that fall into the category of the user exploitation.
4. Credential misinformation: Once there is an active scripting executing in a browser, one can do anything he/she could desire with the pages content. If that is a large trusted site, this could be quite a dangerous thing. Misinformation is just a minor twist and a quick jaunt of thought.
5. Free information dissemination: One can send a unwanted mail (junk mail) by using XSS vulnerable site by posting a crafted URL on some message board and for very small message might include it in the URL itself. Again the person has also no worry about exposing his/her web hosting account.
6. Others: There are many ways to exploit because they are attackers. They might use a XSS vulnerable sites large user base to chew up a smaller sites bandwidth.
The important issue we should think is that where can the web application fall victim?
The easiest way to exploit is parameter passed through query string argument that gets written directly to page. This is an active XSS attack.
But the danger one is passive XSS attacks. If one can able to post active scripting with his/her post then anyone who is going to view the page would automatically execute that script without his/her knowledge.
Some sites which are vulnerable to this type of attack include guests book, HTML chat room, message boards, discussion forums etc..
Here are some techniques to hit the web application by using XSS…
1. knowing the importance of nested quotes one can escape the quote in the quoted string like this ‘ or ” or can even use the unicode equilivents u0022 andu0027.
2. SSL(secure socket layer) pages warn if script comes from mistrusted site, but if one can upload anything to the server like image or article that is actually .js file commands, then he can bypass this warning because script src=file. jpg .
3. One can read the entire pages content with java script using internet explorer and also can edit the page.
4. One can enter a data that include the valid data for that field and some HTML and JAVA script.
Now we must think about the remedy of this problem. Active XSS is relatively easy to handle. We can filter out the series of characters received from the user input.
Quoting the string makes sure that the user cant escapes the element attribute and inserts his/her own event handlers
We should deny the URL that has ? Or reference to a server script. This would deny users the ability to web bug the surfers. A danger of this could be collecting stats on users and site and tracking users across pages by their referrer.
But the prevention against passive XSS is completely different. We all know that HTML is a very dynamic and free flowing language. It allows the web to be as advanced and colorful as it is. But sometimes it becomes the reason for the nightmare: how to filter this? So the easiest way of prevention is that we should not give the permission so that the user is not able to use any form of HTML in their data.
We can’t allow our server for XSS attack. We should not be the reason that our clients lost their credit card number, that their account is tampered…the best way to tackle this problem is to disable the VB script and JAVA script in our browser…