Subscribe by Email

Tuesday, April 17, 2012

Explain the concepts of XSS cross site scripting?

XSS or cross site scripting is a much familiar word in today’s cyber world. Cross site scripting is categorized under the category of computer security vulnerabilities which are common among the web applications.

Purpose of XSS Cross Site Scripting

- This vulnerability makes the web application so vulnerable that the malicious outside attackers are able to inject the malicious client side scripts in to the web pages or applications that are later viewed by the people who visit the page.

- Another purpose may be to incur the access controls like the same origin policy.

- The cross site scripting vulnerability itself accounts for almost 80.5 percent of all the security vulnerabilities identified and documented in the year of 2007 by the Symantec.

- The cross site scripting technique is employed for curbing risk depending on the measure of the sensitivity of the data that is being processed by that particular web site or web page.

- Apart from this factor, another factor that influences this is the security mitigation as implemented by the owner of that web site.

Limitations of XSS Cross Site Scripting

- Cross site scripting can also be employed by some people to create petty nuisance.

- This vulnerability of the security system is often misused by the attackers for bypassing the security mechanisms on the client side which are usually implemented by the web browsers up on the web content on that particular site.

- There are various ways through which the attacker can find the access to the web pages for injecting their malicious scripts in to them.

- Such ways or methods can provide the attacker an unauthorized access to all the sensitive content of the page, information of the user activity as stored by the browser and session cookies etc.

About Cross Site Scripting

- Cross site scripting is a type of code injection attack and is somewhat similar to the SQL injection attacks.

- Earlier the cross site scripting technique was defined as the loading of the third party application that had been attacked at an unrelated attack site while executing java scripts in the context of security of the domain on target as created by the attacker.

- Eventually this cross site scripting refer to the different modes of the code injection, non java script vectors (like VBscript, flash, Java, ActiveX, HTML, SQL and so on).

- The cross site scripting vulnerabilities have been under exploitation since the advent of 20th century.

- So many famous social networking sites like my space, orkut, twitter, Facebook etc have been a victim of the cross site scripting in the past.

- With the sophistication of the cross site scripting techniques, they have now surpassed the vulnerabilities like buffer overflows reporting to be the most common security vulnerability.

- Even now 68 percent of the total web sites have been sorted as vulnerable to the cross site scripting attacks.

Classifications of XSS flaws

As such there are no proper criteria for the classification of the XSS flaws, but according to the experts they are classified in to two categories:

1. Persistent XSS Flaws
It is also known as stored XSS flaws and is the most destructive type. It occurs when the data which has been provided by the attacker is stored by the server.

2. Non persistent XSS flaws
It is also known as reflected XSS flaws and it is the most common type. It occurs when data from a web client is used by server scripts for generating required pages without the sanitization of the queries.

Some other experts classify them as:
1. DOM based XSS flaws: infect client side scripts.
2. Traditional XSS flaws: occur as a result of the flaws in the server side scripts.

No comments:

Facebook activity