XSS - Beware!

Torch

New Member
Messages
634
Reaction score
0
Points
0
I've recently been hired to make a certain website XSS proof. Some parts of the site were apparently made by unexperienced programmer who had little knowledge of XSS, and thus left the site and primarily it's visitors open for all kinds of attacks.
In general, over time I have seen many sites made by people with not enough experience which were wide open for XSS attacks. So in my opinion, XSS is the first thing you should get to know about after learning some server side language and deciding to make a dynamic site yourself.

What is XSS?
The acronym stands for Cross-Site Scripting. It is generally a malicious usage of JavaScript directed not to site itself, but the visitors. Mainly it applies to websites which have areas where user input is allowed, like forums, guestbooks etc. If the website doesn't have proper filtering (like allowing posting of HTML), a malicious user could use that enormous security hole to (for example) steal another user's login info.
You can try that yourself on a most simple example. When you are on some site that uses cookies, like this forum, type this in your address bar:
Code:
javascript:alert(document.cookie);
and it will show you values of all the cookies set by that domain. In similar but more advanced method, a hacker could retrieve the values of cookies set on your computer and thus steal your session.

There are many different uses and methods of application for XSS besides the ones I mentioned, and of course none of them are good. Learn them but only so that you would know how to protect your site and it's users.

Here are a couple of usefull links that can provide you more insight to XSS: 1, 2
 

Fedlerner

Former Adm & Team Manager
Community Support
Messages
12,934
Reaction score
6
Points
38
Thanks Torch! It's usefull! :D

PS: When the TorchSig will be back ? :p
 

Torch

New Member
Messages
634
Reaction score
0
Points
0
Glad to be of help ;)

Anyway, I hope I'll get SigChat back online soon, it's down currently because of problems with domain.
 
Top