What is Cross site scripting XSS?Cross site scripting also written as XSS is one of the most abused and extended vulnerabilities found on websites. Although it has been around since the 90's it still is still extremely easy to find sites with this vulnerability. In fact some experts say that as much as 90% of domains in the internet are vulnerable to some form of this attack.
There are many well known sites that have fallen victims to this attack, such as Facebook, Twitter, Microsoft, Apple.
The amount of damage that this attack can do depends on the kind of information that is handled on that site, for example if the site is purely informational and and does not handle client information it can just be annoying. How ever if the site handles confidential of financial information of the clients it can turn into a disaster.
Now we will show you a extremely simple example of how to check our site against very basic XSS.
Lets say we have a url like this.
This url takes the input in the GET variable and prints it directly on the page. In this way the client gets a customized welcome message. Like
Hello, Ben welcome back to our site.
The url would look like this.
Cross site scripting are often used in combination with spam email that attempt to make clients click on the link on the email. In a attack called phishing.
The client would get a email from what looks like it came from his bank, saying they are making a routine control and they have to reenter their user and password for X reason.
How ever the code injected by the hacker allows him to record every thing you type into that page and Voila! he has all the information to access your online banking system.
To avoid becoming a victim of this attack we recommend that a certified ethical hacker company like Hacking Solutions checks your website.
- Shells, a great weapon for cyber criminals.
- Make your own IDS ( Intrusion Detection System )
- How to find, exploit and protect server ports.
- The best tools for a ethical hacker.
- What is Cross site scripting XSS?
- What is a SQL Injection?
- How to be evil with Google Dorks.
- Why SSL is not enough?
- Web Security V.S Legal security
- Parameterized Query, the best defense against SQL Injection.
- How to get your Hacking Solutions security certificate
- 23 Tests that should be included in every professional web application penetration test.
- The 5 best wordPress security plugins
- The cat and mouse game (Bypassing the SQL security controls)
- Why are hackers main target the small and middle size businesses?
- CMS owners under attack?
- Hacking solutions and hotel reservations websites
- What's our mission and why does it matter to you ?
- Who are these hackers?
- Our first blog for you