|
one of the largest directories of the web |
|
Home : Computers : Security : Internet : WWW : Cross Site Scripting
Cross Site Scripting
Cross site scripting or XSS vulnerabilities allow client side scripts (Javascript or Active X) from a third party to execute as if it originated from a trusted server.
This vulnerability is caused by unfiltered, unchecked input written to a web page by the trusted server. A third party may direct a user to send data to the trusted server. If the server expects non-script data but does nothing to ensure that no script is contained, it may pass the script back to the user to execute.
As a result a third party may be able to steal data such as the password of the user, read the user's private information, or act as the user.
Sites in Cross Site Scripting
The Cross Site Scripting FAQ
Answers questions on identification, threats, and prevention. Provides examples and links.
perl.com: Preventing Cross-site Scripting Attacks
Paul Lindner, author of the mod perl cookbook, explains how to secure our sites against Cross-Site Scripting attacks using mod perl and Apache::TaintRequest.
CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
Advisory published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC).
CERT/CC: How To Remove Meta-characters From User-Supplied Data In CGI Scripts
Examples in C and Perl.
Apache: Cross Site Scripting Info
How the attack affects websites hosted on the Apache webserver and Apache specific issues.
Microsoft Security Bulletin (MS00-060)
Patch available for 'IIS Cross-Site Scripting' vulnerabilities.
SkyLined: Cross-site scripting
Bad user-input filtering can lead to SQL- and HTML-injection, Cross-site scripting and server-side script DoS. Includes guide to finding flaws and an archive of flaws found in popular web sites.
iDefense iALERT White Paper: Evolution of Cross-Site Scripting Attacks
Predicts semi-automated techniques will aggressively begin to emerge for targeting and hijacking web applications.
Information on Cross-Site Scripting Security Vulnerability
Microsoft Technet provides a FAQ, overview of the threats posed by XSS, and suggestions for how their customers can protect themselves.
CNN.com: Schwab's Site Could be Vulnerable
Charles Schwab's online customers are at risk of having their account information accessed and their accounts manipulated due to the same software vulnerability that affected E-Trade's Web site in September.
Cross Site Scripting Vulnerabilities
Security consultant David deVitry offers background information, a free CSS vulnerability detector, and a list of vulnerable sites.
'Cross-site scripting' tears holes in Net security
USA Today article by Byron Acohido that details WhiteHat Security's assesment of Hotmail, Yahoo, Amazon, and America Online.
InfoWorld Opinions: Cross-site Scripting
Article on this often overlooked threat with links.
Bypassing Javascript Filters - The Flash Attack
Paper by EyeonSecurity explaining how to inject CSS attacks into Web applications which allow Flash content. |
|
