Cross-site Scripting

From Guidance Share

Jump to: navigation, search

Contents

Description

Cross-site scripting attacks are an instantiation of injection problems, in which malicious scripts are injected into otherwise benign and trusted web sites.

Applies To

  • Language: Any
  • Platform: All (requires interaction with a web server supporting dynamic content)

Example

Cross-site scripting attacks may occur anywhere that possibly malicious users are allowed to post unregulated material to a trusted web site for the consumption of other valid users. The most common example can be found in bulletin-board web sites which provide web based mailing list-style functionality.

Impact

  • Confidentiality: The most common attack performed with cross-site scripting involves the disclosure of information stored in user cookies.
  • Access control: In some circumstances it may be possible to run arbitrary code on a victim’s computer when cross-site scripting is combined with other flaws

Vulnerabilities

  • Failure to validate user input for script tags when that input can be echoed back into a web page.

Countermeasures

  • Implementation: Use a white-list style parsing routine to ensure that no posted content contains scripting tags.

Vulnerability Patterns

How Tos

Personal tools