Organizational Research By

Surprising Reserch Topic

Question:What is Cross Site Scripting?



asked Sep 13, 2013 in Java Interview Questions by anonymous
edited Sep 12, 2013
0 votes
36 views



Related Hot Questions

2 Answers

0 votes

 

 
The  tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms:
 
External script:
 
 
 
Embedded script:
 
 alert(“XSS”); 
 
 
 
The  tag can contain an embedded script by using the ONLOAD event, as shown below:
 
 
 
The BACKGROUND attribute can be similarly exploited:
 
 
 
image
 
Some browsers will execute a script when found in the image tag as shown here:
 
image
 
There are some variations of this that work in some browsers:
 
image
image
 
 
 
The  tag allows you to import HTML into a page. This important HTML can contain a script.
 
 
 
 
If the TYPE attribute of the tag is set to “IMAGE”, it can be manipulated to embed a script:
 
 
 
 
The  tag, which is often used to link to external style sheets could contain a script:
 
 
 
 
The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image:
 
 
 
The same applies to the  tag, used to separate cells inside a table:
 
 
 
 
 
The  tag, similar to the  and  tags can also specify a background and therefore embed a script:
 
 
 
The  STYLE attribute can also be manipulated in the following way:
 
 
 
 
 
The  tag can be used to pull in a script from an external site in the following way:
 
 
 
 
 
If the hacker places a malicious script inside a flash file, it can be injected in the following way:
 
 
 
Is your site vulnerable to Cross Site Scripting?
 
Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward.
 
Example of a Cross Site Scripting Attack
 
As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for.
 
Search Results for "XSS Vulnerability"
 
To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like:
 
 
Vulnerability
 
Next we try to send the following query to the search engine:
 
 
alert ('This is an XSS Vulnerability')
 
 
By submitting the query to search.php, it is encoded and the resulting URL would be something like:
 
 
Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2
 
9%3C%2Fscript%3E
 
Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability.
answered Sep 13, 2013 by rajesh
edited Sep 12, 2013
0 votes

 

 
The  tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms:
 
External script:
 
 
 
Embedded script:
 
 alert(“XSS”); 
 
 
 
The  tag can contain an embedded script by using the ONLOAD event, as shown below:
 
 
 
The BACKGROUND attribute can be similarly exploited:
 
 
 
image
 
Some browsers will execute a script when found in the image tag as shown here:
 
image
 
There are some variations of this that work in some browsers:
 
image
image
 
 
 
The  tag allows you to import HTML into a page. This important HTML can contain a script.
 
 
 
 
If the TYPE attribute of the tag is set to “IMAGE”, it can be manipulated to embed a script:
 
 
 
 
The  tag, which is often used to link to external style sheets could contain a script:
 
 
 
 
The BACKGROUND attribute of the TABLE tag can be exploited to refer to a script instead of an image:
 
 
 
The same applies to the  tag, used to separate cells inside a table:
 
 
 
 
 
The  tag, similar to the  and  tags can also specify a background and therefore embed a script:
 
 
 
The  STYLE attribute can also be manipulated in the following way:
 
 
 
 
 
The  tag can be used to pull in a script from an external site in the following way:
 
 
 
 
 
If the hacker places a malicious script inside a flash file, it can be injected in the following way:
 
 
 
Is your site vulnerable to Cross Site Scripting?
 
Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward.
 
Example of a Cross Site Scripting Attack
 
As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for.
 
Search Results for "XSS Vulnerability"
 
To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like:
 
 
Vulnerability
 
Next we try to send the following query to the search engine:
 
 
alert ('This is an XSS Vulnerability')
 
 
By submitting the query to search.php, it is encoded and the resulting URL would be something like:
 
 
Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2
 
9%3C%2Fscript%3E
 
Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability.
answered Sep 13, 2013 by rajesh
edited Sep 12, 2013

...