Cross Site Scripting is one of the ways of attack hackers to the sites and is security defect. Of course in this attack the cods of client such as java script are injected into the site and the main purpose of hackers, users who have referred the site. In fact hackers in this type of attack, they are stolen user information of a site without themselves to be aware about that.
Although the abbreviation of Cross Site Scripting is CSS but since the CSS also is as an abbreviation of cascading style sheets, in order to avoid of mistake have been attributed XSS to Cross Site Scripting.
Although the abbreviation of cross site scripting is CSS but since the CSS also is as an abbreviation of cascading style sheets, in order to avoid of mistake have been attributed XSS to cross site scripting.
In XSS, hackers replace their codes instead of dynamic page code. This attack is often used when a site for request of user information that it can use from Query string. Code that replace of the dynamic page will be run on user's computer. This code can stole important information in the computer and apply as destructive.
For example: might be after enter the information, user like username and password in the site one of the banks that doesn't protect against XSS, this information will be stolen by hacker (of course without user awareness) and Then, the user's bank account to be robbed.
Although many Web sites have a filter for recognize the position including XSS but it cannot be a filtered all of the type of XSS. Therefore can be said the sites that attempt to receive the information from users that are ready for XSS attacks.
One of the way to obtain user's information, get the a cookie that sites after user use, created and save in his/her system until use in next entrance from the saved information and let to user to enter. With access to this file in fact hacker access to users information and can misuse from them.
Types of XSS:
Reflected
In this type of attack, hacker find the security hole and the way for use from it until an anonymous users lead to a web application with XSS vulnerabilities. At this time the attack was done.
This attack is done by some of the URL parameter that sends with URL. Hacker sends the destructive URL with parameter in URL for user. This URL usually sends through email, weblog, forum or any other method for user. It maybe thought/imagined that user doesn't click on an anonymous link; therefore he/she doesn't have any problem. But it should be noted that by use from JavaScript even with opening the one email and even view the one site, will be done attack. In addition in this type of attack usually URLs are coded with the methods like hex and or any other method that are coded that show the URL as validity.
Stored
In this type of attack, hacker saves the destructive code that will be called them in the future.
In fact user without knowledge is facing to destructive cod and destructive code will be run, the issue is that when saving the code and also when fetches them input and output validation is not done. That point is very important is even input and output validation of code when you want to save them, checking the exit and validation is necessary. Because therefore unknown and destructive code will be discover during the input validation process.
A hacker can take action, by using XSS, to do actions such as the following:
- Change user setting
- Steal the account
- Steal the cookies
- Applying Malicious codes
- Link to destructive site
- false advertisement
Common way that users are attacked by them, are including:
- Open a web page
- Click on the link
- Open the email
Prevention of XSS
The simplest way to avoid XSS is add the code to web application that cause some of the tags ignored in the dynamic input.
Usage tags in XSS are:
- <script>
- <object>
- <applet>
- <embed>
- <form>
Generally to prevent XSS, different strategies should be considered
- Using from secure browser:
Browser like Firefox and opera has a high security than IE (not 100%). internet explorer is Including browsers, which has many weaknesses and very much is in danger.
- Using the tools code enforcement Script, Flash, are limited the other destructive code. for example NoScript
- Lack of click on the link and anonymous emails:
Try to enter address of web sites that you want viewing them, directly on browser's address bar.
- The uses of functions that do the cleanup the codes like htmlentitis in PHP language (filter the user's input and also exit codes.)
Commonly used languages in XSS including of:
JavaScript ، VBScript ، HTML ، Perl ، C++ ، ActiveX و Flash
Note: Publication of this article is allowed only with
Pars Data
name, as authorized source.