rants from the dark side of marketing

XSS – Cross Site Scripting

Here is some useful info and links I found on (XSS) Cross Site Scripting.

Cross-Site Scripting is a class of security vulnerabilities in web applications. The name does not convey its meaning very well but it has stuck since it was first used. The acronym was changed to XSS, probably by Steve Champeon in his Webmonkey article, because there’s also Cascading Style Sheets and Content Scrambling System. The name sounds like something harmless, thus many web developers ignore the fact that XSS can do as much damage as any other hack, crack or exploit.

The XSS cheat sheet by xss-god Rsnake has a lot of practical information. Also read the ha.ckers.org blog and browse around for heaps of interesting stuff. I particularly liked the Firefox extension(can’t find the link) and text obfuscation. (obvious SEO applications)

From XSS Faq at cgisecurity.org:

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.

From XSS at Wikipedia:

There are three distinct known types of XSS vulnerabilities to date. DOM-based or local (Type 0), non-persistent/reflected (Type 1) and persistent or stored (Type 2) cross-site scripting.

Type-0 attack

  1. Mallory sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page.
  2. Alice clicks on the link.
  3. The malicious web page’s JavaScript opens a vulnerable HTML page installed locally on Alice’s computer.
  4. The vulnerable HTML page is tricked into executing JavaScript in the computer’s local zone.
  5. Mallory’s malicious script now may run commands with the privileges Alice holds on her own computer.

Type-1 attack

  1. Alice often visits a particular website, which is hosted by Bob. Bob’s website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
  2. Mallory observes that Bob’s website contains a reflected XSS vulnerability.
  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob.
  4. Alice visits the URL provided by Mallory while logged into Bob’s website.
  5. The malicious script embedded in the URL executes in Alice’s browser, as if it came directly from Bob’s server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to Mallory’s web server without Alice’s knowledge.

Type-2 attack

  1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.
  2. Mallory notices that Bob’s website is vulnerable to a type 2 XSS attack.
  3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
  4. Upon merely viewing the posted message, site users’ session cookies or other credentials could be taken and sent to Mallory’s webserver without their knowledge.
  5. Later, Mallory logs in as other site users and posts messages on their behalf….

Nice paper on Weaknesses in Web-Applications from v-wall.co.uk. Also of interest the javascript injection paper.

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

XSS at Secunia security advisories.


Springenwerk is an open source XSS scanner written in python.

Libwhisker is perl library geared for HTTP testing.

Nikto is another open-source tool. Uses Libwhisker.

Saint Corporation offers a vulnerability assessment tool, that scans web apps as well.
The Acunetix Web Vulnerability Scanner is a bit expensive but I’ve seen a couple good reviews about it.
ISS.net has a wide array of commercial security tools.
N-Stealth is yet another commercial web vulnerability assessment tool. They have a free version however, with some limits.

WebMaven is an interactive learning environment for web application security. Also from them, Achilles, which acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly.

Posted on Wednesday, August 2nd, 2006 at 8:47 am under Rants. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

You must be logged in to post a comment.



RSS feed





Content may be king, but distribution pays the king’s mortgage.

8/12/09» 15:51» link» comments

Google acquired reCaptcha about a month ago, you might want to throttle your reCaptcha solving per IP address from now on.

14/10/09» 16:22» link» comments

Matt Cutts on how Google deals with spam.

7/10/09» 14:31» link» comments

Why you don’t want to shard.

Real World Web: Performance & Scalability.


Gearman is interesting.

31/08/09» 4:46» link» comments
Copyright 2008, blackhat-seo.com