Cross-Site Scripting
Monday, October 5, 2009 11:00
A lot of today’s websites are dynamic, meaning they can deliver different content to a user depending on the user’s needs. Dynamic content is achieved with the use of web applications. This sounds great, but dynamic websites are open to an attack called cross-site scripting. If you have been in business long and pay attention to the variety of security issues that you have to protect your business from, you probably have heard of this term before. Cross-site scripting is a type of exploit where the attacker inserts or embeds malicious programming code into a web link which the attacker disguises so it appears that it is coming from a trusted source. When the user clicks on a link found on a website, in a forum, in an instant message, or in an e-mail message, the embedded programming code is executed. The website then displays the attacker’s malicious content in the user’s browser as if it is coming from the legitimate website. There are different variations to this type of exploit, but the attack usually allows the attacker to gather and steal information from the user. This information can allow the attacker to hijack the user’s account, change user settings, steal the user’s session cookies or other similar types of actions.
Before all this can occur, the attacker must discover a web application that is vulnerable to cross-site scripting. Attackers can use a variety of programming code, such as JavaScript and VBScript, to carry out this attack. In order to protect yourself from these types of exploits, you should only follow links from the main website. If you get an e-mail with a link or view a website’s link to a bank site, you should use a search engine, find the home address of the website, and look for the information from there. Do not click on the link. Also, you can turn off JavaScript in your browser settings.
Related posts: