website guardian Website GUARDIAN

What is a Cross-Site Scripting Attack?


Published: March 8, 2012
Author: Anna Agnew
Article Photo

Cross-site scripting (also known as XSS or CSS-and not to be confused with Cascading Style Sheets) is a technique used by hackers to compromise websites and web applications. This technique takes advantage of weaknesses in the code of web applications, allowing the hacker to insert malicious code onto a website in order to collect some kind of data from the victim. Data stolen by hackers through XSS could be sensitive information including medical records, social security numbers and credit card numbers. The consequences of such an attack could be considered a petty nuisance to some, while to others it may pose a significant security risk depending on the nature of the data stored by the vulnerable website.

Vulnerabilities in web applications are considered Cross-site scripting holes that allow hackers to override the client-side security systems activated by your web browser. By overcoming these security systems, hackers can inject malicious code onto your web pages, allowing them access privileges to your page content and also information collected by your browser on your behalf. Cross-site scripting attacks are considered a special case of code injection and hackers inject malicious code in the form of JavaScript, VBScript, ActiveX, HTML or even Flash. Attacks are usually formatted as a hyperlink that contains malicious code and can be distributed over any possible means on the internet. Any web page that passes information to a database is vulnerable to a XSS attack - for example, Login forms, Forgot Password forms, etc. In a typical XSS attack, your web page is infected with malicious code that, when visited by a user, is then downloaded to their browser and executed.

The goal of many websites today is to do whatever is necessary to cater to their customers and potential customers. In order to offer their customers output or content based on their specific preferences and needs, websites must rely quite strongly on a multitude of various types of web applications. Unfortunately, with these web applications, these dynamic sites are at the mercy of XSS attacks.

XSS is considered the most popular technique used to hack databases, accounting for approximately 85% of all security vulnerability attacks. In addition, you will find many other methods of attack such as Disclosure of Information, the Spoofing of Content and Stolen Credentials can be attributed to side-effects of the Cross-Site Scripting attack. It is said that as many as 68% of websites are vulnerable to the XSS attack and these XSS attacks have been going on since the 1990s.

In order to combat XSS attacks, it is important to find a web developer that will put measures in place to prevent such attacks. A good web developer will be diligent in finding these security holes and developing security measures to protect your website from the risk of the Cross-Site Scripting Attack.

Category: website security,