XSS or cross site scripting attack is a much familiar security threat in today’s cyber world and is taking a toll on the web sites and applications by breaking in to their security system.
What is Cross Site Scripting Attack?
- Cross site scripting attack is another attack categorized under the category of computer security vulnerabilities which are the most common and frequent among the web applications.
- These attacks are known for making the web application so vulnerable that the malicious outside attackers are able to inject the malicious client side scripts in to the web pages or applications that are later set for the view by the users who visit the page.
- Another nefarious purpose of these attacks is to incur the access controls like the same origin policy.
- The cross site scripting attacks account for almost 80 percent of all the security threats identified and documented in the year of 2007 till now by the Symantec.
- The cross site scripting technique for the good purpose is usually employed for curbing risk depending on the measure of the sensitivity of the data that is being processed by that particular web site or web page.
- Apart from this factor, another factor that makes it easy for the attacks to happen is the security mitigation as implemented by the owner of that web site.
- Cross site scripting attacks are employed by some people to create petty nuisance.
- This is nothing but the misuse of the vulnerability of the security system by the attackers for bypassing the security mechanisms on the client side which are usually implemented by the web browsers up on the web content on the web site.
- There are various ways through which the site can be attacked and accessed for injecting the malicious scripts in to them.
- Such ways or methods can provide the attacker an unauthorized and easy way to access all the sensitive content of the page, information of the user activity as stored by the web browser and session cookies etc.
- Cross site scripting attacks are a type of code injection attack and somewhat similar to the SQL injection attacks.
- Earlier the cross site scripting technique was seen as the loading of the third party application that had been attacked at an unrelated attack site while the execution of the java scripts took place in the context of security of the domain on target as created by the attacker.
- Eventually this cross site scripting attacks were carried out through different modes of the code injection using non java script vectors (like VBscript, flash, Java, ActiveX, HTML, SQL and so on).
- Cross site scripting attacks are a consequence of the cross site scripting vulnerabilities that have been under exploitation since the advent of 20th century.
So many famous social networking sites of today like my space, orkut, twitter, Facebook etc have witnessed these attacks in the past. With the advancement of the cross site scripting techniques, they have now successfully surpassed the vulnerabilities like buffer overflows reporting to be the most common security vulnerability. Even now around 60 percent of the total web sites have been sorted as vulnerable to the cross site scripting attacks.
As such there are no defined criteria for the classification of the XSS flaws, but according to the experts they are classified in to two categories:
1. Persistent XSS flaws
- Also known as stored XSS flaws and is the most destructive type.
- Occurs when the data which has been provided by the attacker is stored by the server.
2. Non persistent XSS flaws
- Also known as reflected XSS flaws and most common type.
- Occurs when data from a web client is used by server scripts for generating required pages without the sanitization of the queries.
Tuesday, March 13, 2012
Explain the concepts of Cross site scripting attacks?
Wednesday, August 24, 2011
User Interface Analysis and Design - Testing Interface Mechanisms
There are interface mechanisms through which the interaction between the user and the web application occurs. There are some testing interface mechanisms described below:
- Links are tested to ensure that proper content object or function is reached. External link testing should occur throughout the life of the web application. Links within content object are also tested. Part of a support strategy should be regularly scheduled link tests.
- Client side scripting should be repeated whenever a new version of a popular browser is released. Compatibility testing should be done to ensure that the scripting language that is chosen is working properly in environmental configuration that support the web application.
- Forms testing is done at two levels:
At macroscopic level, tests ensure that labels correctly identify fields within the form; server is receiving the information that is contained within the form; defaults are used when user is not selecting from pull down menu or set of buttons; browser functions do not corrupt data and error checking script is working properly.
At targeted level, tests ensure that form fields are of proper width and data types; appropriate pull-down menus option are specified; tab key is performing in the right manner and browser auto fill features do not lead to data input errors.
- Dynamic HTML in web applications are tested to ensure that the dynamic display is working fine.
- Pop up windows are tested to ensure that a pop up window is properly positioned and sized; the design of pop up window is consistent with the aesthetic design of interface; scroll bars are working properly.
- Streaming Content is tested to ensure that they are up to date, properly displayed and restarted without difficulty.
- Cookies are tested at both server and client side. On server side, tests are conducted to ensure cookie is properly constructed and transmitted to client side. Proper persistence of cookie is tested to ensure that the expiration date is correct. On client side, tests are conducted to ensure whether web applications properly attaches existing cookies to specific request.
