This link has been bookmarked by 97 people . It was first bookmarked on 17 Jun 2006, by Andres S.
-
24 Jun 16
-
28 Sep 11
-
27 Mar 09
-
24 Nov 08
-
12 Nov 08
-
06 Nov 08
-
21 Oct 08
-
Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.
-
Since XSS holes are different in how they are exploited, some testing will need to be done in order to make the output believable. By inserting code into the script, its output will be changed and the page may appear broken. (The end result is crucial and the attacker will have to do some touching up in the code to make the page appear normal.) Next you will need to insert some Javascript (or other client side scripting language) into the URL pointing to the part of the site which is vulnerable. Below I have provided a few links that are for public use when testing for XSS holes. These links below, when clicked on will send the users cookie to www.cgisecurity.com/cgi-bin/cookie.cgi and will display it. If you see a page displaying a cookie then session hijacking of the user's account may be possible.
-
-
25 Sep 08
-
11 Sep 08
-
27 Aug 08
-
19 Jul 08
-
15 May 08
-
15 Apr 08
Ludo VangilbergenWebsites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.
-
07 Apr 08
-
10 Mar 08
-
uitgebreide site over cross site scripting met onder andere uitleg over gebruikte methodieken om standaard defensiemethoden te verschalken
-
-
06 Mar 08
-
19 Dec 07
-
13 Dec 07
-
06 Dec 07
-
03 Oct 07
-
10 Jul 07
-
03 Jul 07
-
24 Jun 07
-
05 Jun 07
-
31 Mar 07
-
01 Mar 07
diigodeli dunbarCross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link fro
-
26 Feb 07
-
04 Jan 07
-
02 Jan 07
-
23 Nov 06
-
23 Oct 06
Christian SaxExplains the XSS Cross Site Scripting step by stey alike a FAQ
-
10 Oct 06
-
07 Oct 06
-
26 Sep 06
-
25 Sep 06
-
21 Sep 06
-
27 Aug 06
-
-
Step 3: XSS Execution
Hand out your crafted url or use email or other related software to help launch it. Make sure that if you provide the URL to the user(through email, aim, or other means) that you at least HEX encode it. The code is obviously suspicious looking but a bunch of hex characters may fool a few people.
In my example I only forward the user to cookie.cgi. A attacker with more time could do a few redirects and XSS combo's to steal the user's cookie, and return them to the website without noticing the cookie theft.
Some email programs may execute the Javascript upon the opening of a message or if the Javascript is contained in a message attachment. Larger sites like Hotmail do allow Javascript inside attachments but they do special filtering to prevent cookie theft.
-
-
25 Aug 06
-
17 Aug 06
-
12 Aug 06
-
30 Jul 06
-
23 Jul 06
-
08 Jun 06
-
07 Apr 06
-
07 Mar 06
-
02 Mar 06
-
21 Feb 06
-
22 Dec 05
-
21 Dec 05
-
20 Dec 05
-
29 Nov 05
-
17 Oct 05
-
21 Sep 05
-
20 Jul 05
Page Comments
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.