What is Cross site scripting XSS?

Cross site scripting also written as XSS is one of the most abused and extended vulnerabilities found on websites. Although it has been around since the 90's it still is still extremely easy to find sites with this vulnerability. In fact some experts say that as much as 90% of domains in the internet are vulnerable to some form of this attack.

There are many well known sites that have fallen victims to this attack, such as Facebook, Twitter, Microsoft, Apple.

The amount of damage that this attack can do depends on the kind of information that is handled on that site, for example if the site is purely informational and and does not handle client information it can just be annoying. How ever if the site handles confidential of financial information of the clients it can turn into a disaster.

It basically works by the attacker being able to insert a javascript into the victim website and the victim website executes that javascript.
This script is sometimes hosted in another site that the hacker controls. That is why it gets the name Cross site, scripting comes from the use of javascript.

Now we will show you a extremely simple example of how to check our site against very basic XSS.
Lets say we have a url like this.

www.example.com?client=Ben

This url takes the input in the GET variable and prints it directly on the page. In this way the client gets a customized welcome message. Like

Hello, Ben welcome back to our site.

A hacker can modify this URL inserting some basic javascript that in this case will make a alert pop up show with the numbers 123.
The url would look like this.

www.example.com?client=Ben

Cross site scripting are often used in combination with spam email that attempt to make clients click on the link on the email. In a attack called phishing.
The client would get a email from what looks like it came from his bank, saying they are making a routine control and they have to reenter their user and password for X reason.
How ever the code injected by the hacker allows him to record every thing you type into that page and Voila! he has all the information to access your online banking system.

To avoid becoming a victim of this attack we recommend that a certified ethical hacker company like Hacking Solutions checks your website.



Contact us