Here is some useful info and links I found on (XSS) Cross Site Scripting.
Cross-Site Scripting is a class of security vulnerabilities in web applications. The name does not convey its meaning very well but it has stuck since it was first used. The acronym was changed to XSS, probably by Steve Champeon in his Webmonkey article, because there’s also Cascading Style Sheets and Content Scrambling System. The name sounds like something harmless, thus many web developers ignore the fact that XSS can do as much damage as any other hack, crack or exploit.
The XSS cheat sheet by xss-god Rsnake has a lot of practical information. Also read the ha.ckers.org blog and browse around for heaps of interesting stuff. I particularly liked the Firefox extension(can’t find the link) and text obfuscation. (obvious SEO applications)
From XSS Faq at cgisecurity.org:
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.
From XSS at Wikipedia:
There are three distinct known types of XSS vulnerabilities to date. DOM-based or local (Type 0), non-persistent/reflected (Type 1) and persistent or stored (Type 2) cross-site scripting.
- Mallory sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page.
- Alice clicks on the link.
- Mallory’s malicious script now may run commands with the privileges Alice holds on her own computer.
- Alice often visits a particular website, which is hosted by Bob. Bob’s website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
- Mallory observes that Bob’s website contains a reflected XSS vulnerability.
- Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob.
- Alice visits the URL provided by Mallory while logged into Bob’s website.
- The malicious script embedded in the URL executes in Alice’s browser, as if it came directly from Bob’s server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory’s web server without Alice’s knowledge.
- Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.
- Mallory notices that Bob’s website is vulnerable to a type 2 XSS attack.
- Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
- Upon merely viewing the posted message, site users’ session cookies or other credentials could be taken and sent to Mallory’s webserver without their knowledge.
- Later, Mallory logs in as other site users and posts messages on their behalf….
The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.
XSS at Secunia security advisories.
Springenwerk is an open source XSS scanner written in python.
Libwhisker is perl library geared for HTTP testing.
Nikto is another open-source tool. Uses Libwhisker.
Saint Corporation offers a vulnerability assessment tool, that scans web apps as well.
The Acunetix Web Vulnerability Scanner is a bit expensive but I’ve seen a couple good reviews about it.
ISS.net has a wide array of commercial security tools.
N-Stealth is yet another commercial web vulnerability assessment tool. They have a free version however, with some limits.
WebMaven is an interactive learning environment for web application security. Also from them, Achilles, which acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly.