This link has been bookmarked by 160 people . It was first bookmarked on 13 Oct 2007, by Eugene Ilyichev.
-
11 May 15
-
viewed by other users
-
to bypass access controls such as the same-origin policy
-
84% of all security vulnerabilities
-
-
content from one site
-
access resources
-
content from any URL with the same
-
(1) URI scheme, (2) host name, and (3) port number
-
will share these permissions
-
vulnerabilities in web-based applications, their servers, or the plug-in systems
-
attackers fold malicious content
-
resulting combined content
-
delivered from the trusted source
-
an attacker can gain elevated access-privileges to sensitive page content, to session cookies
-
non-persistent
-
two primary flavors
-
and persistent
-
used immediately by server-side scripts to parse and display a page
-
without properly sanitizing the request
-
any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection
-
The persistent (or stored)
-
when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages
-
If the script is enclosed inside a <script> element, it won't be shown on the screen.
-
Her script is run automatically by the browser and steals a copy of Bob’s real name and email directly from his own machine.
-
an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website
-
03 May 15
-
01 Mar 15
Livern Chincode hack
-
24 Jun 14
-
03 Jun 14
-
-
12 Feb 14
-
A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script.
-
-
16 Jan 14
-
-
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
-
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely.
-
By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.
-
-
22 Nov 13
-
14 Nov 13
-
-
The primary defense mechanism to stop XSS is contextual output encoding/escaping.
-
-
24 Aug 13
-
18 Jul 13
-
-
25 Jun 13
-
By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.
-
-
11 Jun 13
Selenite Vingt-NeufCross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attac
-
21 May 13
-
men's browsers when they visit her profile
-
er own server, which collects this inform
-
is her script to steal names and emails.
-
Bob's website allows Alice to log in with a username/pa
-
a reflected XSS vulnerability
-
his is the actual XSS vulnerability
-
-
22 Nov 12
-
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
-
-
17 Oct 12
-
Non-persistent
-
the most common type
-
is typically delivered via email or a neutral web site
-
more devastating
-
saved by the server
-
displayed
-
to other users
-
social networking sites
-
to self-propagate across accounts
-
can be used to send Alice's session cookie to Mallory
-
-
11 Oct 12
-
22 Sep 12
-
27 Jul 12
-
02 Mar 12
carlos puentesCross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
-
21 Feb 12
-
-
There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent. Some sources further divide these two groups into traditional (caused by server-side code flaws) and DOM-based (in client-side code).
-
-
18 Feb 12
-
14 Feb 12
-
Non-persistent
-
Cross-site scripting
-
found in Web applications
-
-
used by
-
vulnerability
-
bypass access controls
-
attackers
-
allow attackers to bypass client-side security mechanisms
-
web-application vulnerabilities
-
attacker can gain
-
web pages
-
injecting malicious scripts
-
elevated access-privileges
-
sensitive page content, session cookies
-
information maintained by the browser
-
special case of code injection.
-
"cross-site scripting"
-
act of loading the attacked
-
hird-party web application
-
from an unrelated attack site
-
manner
-
a reflected or non-persistent XSS vulnerability
-
the security context of the targeted domain
-
executes a fragment of JavaScript
-
non-persistent and persistent
-
traditional (caused by server-side code flaws) and DOM-based (in client-side code).
-
divide these two groups
-
Non-persistent
-
most common type
-
Persistent
-
Traditional versus DOM-based vulnerabilities
-
-
06 Feb 12
-
29 Dec 11
-
14 Dec 11
-
03 Aug 11
-
bypass
-
nuisance
-
-
08 Jul 11
-
Prominent sites affected in the past include the social-networking sites Twitter,[3] Facebook,[4] MySpace, and Orkut.[5][6] In recent years, cross-site scripting flaws surpassed buffer overflows to become the most common publicly-reported security vulnerability,[7] with some researchers viewing as many as 68% of websites as likely open to XSS attacks.[8]
-
The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.[10] These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.[11]
-
-
11 Apr 11
-
found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users
-
-
05 Dec 10
-
11 Nov 10
-
04 Nov 10
-
02 Oct 10
-
25 Sep 10
-
21 Sep 10
-
13 Sep 10
-
At first blush, this does not appear to be a serious problem: by submitting a malicious input to the web site, the user would only be able to compromise their own security context—that is, their own browser cookies, cache objects, and so forth. It is important to realize, however, that a third-party attacker may easily place hidden frames or deceptive links on unrelated sites and cause victims' browsers to navigate to URLs on the vulnerable site automatically—often completely in the background—and in such a case, the attacker can intrude into the security context that rightfully belonged to the victim.
-
-
23 Aug 10
-
12 Aug 10
James Otto"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users."
security web programming development code javascript ajax xss
-
15 Jun 10
-
12 May 10
jack ferrisXSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.
-
20 Apr 10
-
09 Apr 10
-
02 Apr 10
therin2006Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.
-
11 Mar 10
-
19 Feb 10
-
22 Jan 10
shaleesa frampas"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner."
-
10 Oct 09
-
06 Oct 09
-
29 Sep 09
-
30 Jun 09
Matt GiddingsCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007.[1] Often during an attack "everything looks fine" to the end-user[2] who may be subject to unauthorized access, theft of sensitive data, and financial loss.
-
02 May 09
-
14 Apr 09
-
13 Apr 09
-
12 Feb 09
-
02 Feb 09
-
28 Jan 09
-
06 Jan 09
-
26 Nov 08
-
18 Nov 08
-
29 Oct 08
-
09 Aug 08
-
09 May 08
-
04 Apr 08
-
19 Mar 08
-
26 Feb 08
-
10 Feb 08
-
07 Feb 08
-
18 Jan 08
-
19 Dec 07
-
11 Oct 07
-
21 Aug 07
-
27 Jul 07
-
25 Jun 07
-
19 May 07
-
30 Oct 06
-
23 Oct 06
-
21 May 06
-
07 Apr 06
Page Comments
Serving entity encoding responses prevents this.
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.