Cross-Site Scripting, Explained
One of the most common website attacks that most businesses have never heard of.
|By: Brand Barney|
Want to see more vids like this? Subscribe on YouTube for more security tips.
How does cross-site scripting work? Here’s an example of one type of XSS.
- The hacker finds a legitimate webpage with an input field. Input fields could range from a first name field to a credit card field.
- The hacker checks if the webpage is vulnerable to cross-site scripting. For this type of attack to work, the web application must use the data the user enters and echo it back to the user. For example, if you sign in with your username (say, example123) and the webpage says something like, “Welcome example123!”, that webpage is echoing your data back to you. Once the user input is echoed back, if the browser is able to interpret it as executable language, then the attacker can confirm the page is vulnerable.
- The hacker embeds malicious script. Based on the intent of the attack, hackers can capture the keystrokes of the user, steal usernames or passwords entered into the fields, or even copy the entire webpage and redirect users to a fake webpage.
Possibly. I estimate that 1/3 of all websites are susceptible to XSS.
Is my website vulnerable to cross-site scripting?
XSS is a huge flaw in many websites if left untested and not properly avoided.
How to stop cross-site scripting on your website
- Run external vulnerability scans. Vulnerability scans help locate coding errors where XSS vulnerabilities may occur.
- Talk to your web developer and make sure your site is properly coded with security in mind.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.