CROSS-SITE SCRIPTING PREVENTION

Cross-Site scripting prevention

Cross-Site Scripting Prevention

Abstract

The objectives of the group are two fold: firstly, carry out advanced research in distributed computing software, infrastructure and tools; and secondly, to establish collaborations with international research institutes of repute in this area, to enable transfer of knowledge and technology. Web application security is not just about attackers hacking websites, stealing sensitive information from websites, sending high traffic to websites with denial of service attacks, viruses, worms and Trojan horses. Are these are the only problems that we have? The answer is no. There are other problems that are frequently overlooked.

The objective of this article is to give you an insight on various areas that a design architect should focus on while designing a web application to make more secured. This article discusses almost all types of vulnerability that can be exploited by the hacker and the counter measure to avoid the same.

Conclusion

Cross- Site scripting is commonly referred as XSS occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them.

Because the script code is downloaded by the browser from a trusted site, the browser has no way of knowing that the code is not legitimate (Berkan, 2007). Internet Explorer security zones provide no defense. Since the attacker's code has access to the cookies associated with the trusted site and are stored on the user's local computer, a user's authentication cookies are typically the target of attack.

Attacker normally exploits this by identifying the vulnerable page that outputs the invalidated input back to the browser. The following snippet of code shows the input that is accepted a vulnerable page that exploits this vulnerability

http://www.yourapplicationname.com/home.aspx?name=

When this link is clicked, it will show an alert message because of the script tag embedded in the URL (McNiel, 1994).

Cross site scripting (XSS) is probably the most common vulnerability. Not all XSS issues are easily exploitable. However, the presence of these errors demonstrates lack of attention to input validation and output sanitation. The most likely place to find XSS is in the search function. Enter a "e ;> "e; as a search string and see what you get (Jackson, 2002). In particular, watch for pieces of HTML code that may all of the sudden be visible or for skewed formatting in forms. As a next step, enter "> (Kosko, 2003). Even if you don't see the popup message, try to find the string in the result. See how the application dealt with the quote. As a note, many applications will escape single quotes (') but not double quotes ("). If you try to inject JavaScript, you may need to use double quotes only. Again, for this 1 hour exercise, we are only trying to find XSS problems. Exploiting them may take a bit more time. More dangerous XSS issues arise if content is stored in a database and not escaped ...