Cross Site Scripting is the most common vulnerability in web applications. It happens when the application accepts unverified data and send them the browser without any real checks. This allows attackers to execute scripts in the victim's browser, which can take control of the user session, or redirected to malicious links.
3 basic characteristics of XSS attacks are:
· XSS attacks are taking place on the vulnerable web applications
· The XSS attacks the victim's users, not applications
XSS attacks occur primarily due to inadequate cleaning the user's input. Consider the case where a hypothetical web site has a form on a web page that accepts the user's e-mail address so he could send new vesti.Web application that handles e-mail address might not be programmed. Because of these shortcomings in the computer code that accepts input from the user and further processed, the hacker is able to run its own course harmful computer code.
An example of XSS attacks:
Let's look at a site that has a link like this URL:
Let's say that the "name" parameter is used to define the values for the user name. The site uses this value to be written "Hello ZoranLojpur" on the web site. In this case, the hacker can use the parameter "name" by adding malware information on the parameter "name" instead of the expected names as specified in the following link:
In this case shall be enabled and out notice "XXS vulnerability," but the real malware code can be run on site by applying the same techniques.
Such an attack is successful because of the web application that analyzes the URL and allows operation of the web site, inaccurate and incorrect instructions given user to always placing the secure data. In fact, he was not prepared for such threats. In this case, the hacker uses benign web site to launch malware attacks to the user who has no doubts, a website owner usually has no idea that his web site used for the execution of malicious code.
How to detect that your site is vulnerable to XSS attacks and what to do?
1. Be sure to check the software that enables the operation of your site, whether it takes user input directly and immediately use it without filtering!
2. Upgrade the latest version of the software.
3. Make sure that the third party plugin that uses the site at risk for susceptibility to XSS attacks.
4. Conduct a vulnerability assessment scan the site to find out whether there are any XSS vulnerabilities. Any weak point should as soon as possible to remove or repair.
5. Use the Web Application Firewall to prevent harmful attacks on your site.