Cross site scripting Essay Example for Free

Cross locate scripting EssayCross- rank scripting is form pic for computer credentials which mainly occurs in web applications that accept injection of code by web users who happen to be malicious such users inject the code into heterogeneous web pages that are used by former(a) web users. The most common codes that are usually injected by malicious web users include scripts of lymph node side and HTML codes. Cross site scripting (XSS) vulnerability which is exploited is usually used by aggressors for by passing the certain access controls, a soundly example of such bypass is a insurance of the same origin. XSS originated from the fact that it is attain adequate for a malicious web site to be loaded into a nonher(prenominal) window or frame and then write or read data using coffee tree script on separate web sites (Rafail, 2001). Cross site scripting vulnerabilities XSS vulnerabilities have been well exploited to get it on up with very powerful browser exploits and phi shing attacks. XSS performed on websites were about eighty percent of all the preserve securities as indicated by the 2007 statistics.In most cases of attack every thing looks to be in put up as far as the cobblers last users are concerned, but they are finally subjected to access which is not authorized, financial loss and loss of sensitive data (Rafail, 2001). The pass across site scripting can be in the main be categorized into two reflected and stored. But there is another type of cross site scripting which is not widely known, called DOM. The stored refer to those codes that once injected are stored in the target servers permanently.They can remain permanently in the message forum, database comment field, or in the visitor log. The reflected XSS attacks, are the codes which when injected, the web server is reflected off as a search result, an error message or other forms of responses that may include all or some of the input that was displace to the various servers as req uest in part. Usually the reflected attacks are sent to the victims through other channels such as electronic mail messages, or through other web servers.Once a user is lured into clicking a link which is malicious or is tricked to submit a form which is specially crafted, the code that has been injected travels via the web server which is vulnerable, the reflected attack is in turn sent substantiate to the browser and the code is then executed as if it originated from a reasonable server (Rafail, 2001). The consequences of cross site scripting attacks are primarily the same regardless of whether they are DOM based, reflected or stored. The main difference the manner in which the pay load enters the server. Cross site scripting is loose of causing various problems to the end users.The problems range in severity, they can cause annoyance to the end users as well as complete loss of accounts. The most serious attacks of XSS result into disclosure of the users information and data t hus giving the attacker to actually seize the session of the user and thus be in a position to comfortably take over the users accounts. The XSS expose the end users to other damaging attacks such as Trojan programs installations, disclosure of files belonging to the end users, redirecting the web user to other sites or pages, or modification of the contents.A cross site scripting vulnerability that allows the attacker to change certain news item or a press release is capable of affecting the stock price of an organization or decreasing the confidence of the consumer. For example a cross site scripting vulnerability on a site of a pharmaceutical can allow the attacker to alter the information of dosage which might result into over or under dosage (Rafail, 2001). Flaws in an XSS are at times very difficult to establish and get rid of them from web applications.In order to find such flaws, the best method to use is performing a review on the security code and too to perform a thoro ugh search in all possible areas where HTTP input request can easily finds its way into output of the HTML. It is very important to note that various tags of HTML tags can be effectively used in transmission of java scripts which are malicious. Nikto, Nesus positivistic other tools which are currently available in the market can be used in scanning the websites but they are less effective since they are only when capable of scratching the move up and are not capable of eliminating all the flaws in the system (Snake, n. d. ).Preventing XSS attacks Once a web site becomes victim of XSS attack the end user is likely too loose a lot of authoritative data and information. It is therefore, very important for people to protect themselves against such attacks. One of the best ways of preventing your ego of becoming a victim to an XSS attack is failing to respond to a request that is unsolicited by providing your personal details. Such information should not be provided whether it is ov er the meshing or the phone.Users should know that the internet and e-mail pages that are usually used by the XSS attackers look similar to those used by the veritable institutions and it might be quite hard to distinguish between the two. So if one believes that the involvements could be valid them they should contact the institution in question themselves. They can do so by either tour the companys website and instead of using the provided link one should actually type the address or use a page that you might have book marked earlier.One should initiate the contact using the information that you have verified (Naraine, 2009). Conclusion Cross site scripting is a serious fraudulent activity and once one falls prey to it can end up loosing significantly. It is thus good to increase awareness of such vices so that when people are targeted for such acts they can be able to identify them and subsequently be in a good position to protect them. The end users should also do all that is possible in order to conceal their vital information and ensure that it is only given to the relevant authorities when needed.It is also important to keep scanning their system regularly using valid tools. Reference Naraine, R. (2009) Phishing without bait The in-session password theft attack, Retrieved on 1st June 2009 from, http//blogs. zdnet. com/security/? p=2390. Rafail, J. (2001) Cross-Site Scripting Vulnerabilities, Retrieved on 1st June 2009 from, http//www. cert. org/archive/pdf/cross_site_scripting. pdf. Snake, R. (n. d. ) XSS (Cross Site Scripting) Cheat Sheet Esp. for filter evasion, Retrieved on 1st June 2009 from, http//ha. ckers. org/xss. html.