Cross site scripting

From Academic Kids

Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched. Note that although cross site scripting is also sometimes abbreviated "CSS", it has nothing to do with the Cascading Style Sheets technology that is more commonly called CSS.

A classic example of cross site scripting is to supply parameters to a CGI script on a web site which cause the web site to emit bogus data. For example, the use of HTML client-side scripting language fragments in a web page parameter may insert this information into the rendered page, resulting in targeted web browsers executing the code.

This may be done by entering data into a web form on the site, for example as part of a bulletin board feature, or by publicly posting a URL which users are likely to click on, for example in e-mails or Usenet. Such a vulnerability in a web application can make phishing schemes more effective.

Note that despite the name, as example 2 demonstrates, this type of attack does not require the use of scripts.

Example 1:

  1. UserA trusts example.com to run JavaScript on his machine.
  2. UserB has found a way to inject/insert his/her own JavaScript code into example.com (for example into a bulletin board message) and inserts a malicious script that asks for people's credit card numbers and stores them somewhere where UserB can access them.
  3. UserA visits example.com and UserB's script asks for his/her credit card number. Thinking that this is a legitimate request from example.com, UserA blissfully provides his/her credit card number.
  4. UserB has effectively "stolen" UserA's credit card number using cross-site scripting and some social engineering.

Example 2:

  1. UserA has an account at example.com and is logged in.
  2. UserB has found a way to inject/insert his/her own HTML into example.com (for example into a bulletin board message) and inserts a form that asks for people's credit card numbers and stores them somewhere where UserB can access them.
  3. UserA visits example.com and UserB's form asks for his/her credit card number. Thinking that this is a legitimate request from example.com, UserA blissfully provides his/her credit card number.
  4. UserB has effectively "stolen" UserA's credit card number using cross-site scripting and some social engineering.

Example 3:

  1. UserA has an account at example.com and is logged in.
  2. UserB injected a piece of JavaScript to retrieve the session ID of the current user and send it to him/her.
  3. UserA visits the manipulated page and his/her session ID is transmitted to UserB.
  4. UserB can now use UserA's account until he/she logs out (possibly longer if he/she changes UserA's password).

If UserB had put the code on his own website, it would not be allowed to access the session-cookie.

The name "cross site" derives from the way the attack is directed "across" the web-site, from the attacking data source to the attacked browser.

External links

Current Blacklist (http://pointblanksecurity.com/xss/xss2.php)

de:Cross-Site Scripting ja:クロスサイトスクリプティング pl:Cross Site Scripting

Navigation

Academic Kids Menu

  • Art and Cultures
    • Art (http://www.academickids.com/encyclopedia/index.php/Art)
    • Architecture (http://www.academickids.com/encyclopedia/index.php/Architecture)
    • Cultures (http://www.academickids.com/encyclopedia/index.php/Cultures)
    • Music (http://www.academickids.com/encyclopedia/index.php/Music)
    • Musical Instruments (http://academickids.com/encyclopedia/index.php/List_of_musical_instruments)
  • Biographies (http://www.academickids.com/encyclopedia/index.php/Biographies)
  • Clipart (http://www.academickids.com/encyclopedia/index.php/Clipart)
  • Geography (http://www.academickids.com/encyclopedia/index.php/Geography)
    • Countries of the World (http://www.academickids.com/encyclopedia/index.php/Countries)
    • Maps (http://www.academickids.com/encyclopedia/index.php/Maps)
    • Flags (http://www.academickids.com/encyclopedia/index.php/Flags)
    • Continents (http://www.academickids.com/encyclopedia/index.php/Continents)
  • History (http://www.academickids.com/encyclopedia/index.php/History)
    • Ancient Civilizations (http://www.academickids.com/encyclopedia/index.php/Ancient_Civilizations)
    • Industrial Revolution (http://www.academickids.com/encyclopedia/index.php/Industrial_Revolution)
    • Middle Ages (http://www.academickids.com/encyclopedia/index.php/Middle_Ages)
    • Prehistory (http://www.academickids.com/encyclopedia/index.php/Prehistory)
    • Renaissance (http://www.academickids.com/encyclopedia/index.php/Renaissance)
    • Timelines (http://www.academickids.com/encyclopedia/index.php/Timelines)
    • United States (http://www.academickids.com/encyclopedia/index.php/United_States)
    • Wars (http://www.academickids.com/encyclopedia/index.php/Wars)
    • World History (http://www.academickids.com/encyclopedia/index.php/History_of_the_world)
  • Human Body (http://www.academickids.com/encyclopedia/index.php/Human_Body)
  • Mathematics (http://www.academickids.com/encyclopedia/index.php/Mathematics)
  • Reference (http://www.academickids.com/encyclopedia/index.php/Reference)
  • Science (http://www.academickids.com/encyclopedia/index.php/Science)
    • Animals (http://www.academickids.com/encyclopedia/index.php/Animals)
    • Aviation (http://www.academickids.com/encyclopedia/index.php/Aviation)
    • Dinosaurs (http://www.academickids.com/encyclopedia/index.php/Dinosaurs)
    • Earth (http://www.academickids.com/encyclopedia/index.php/Earth)
    • Inventions (http://www.academickids.com/encyclopedia/index.php/Inventions)
    • Physical Science (http://www.academickids.com/encyclopedia/index.php/Physical_Science)
    • Plants (http://www.academickids.com/encyclopedia/index.php/Plants)
    • Scientists (http://www.academickids.com/encyclopedia/index.php/Scientists)
  • Social Studies (http://www.academickids.com/encyclopedia/index.php/Social_Studies)
    • Anthropology (http://www.academickids.com/encyclopedia/index.php/Anthropology)
    • Economics (http://www.academickids.com/encyclopedia/index.php/Economics)
    • Government (http://www.academickids.com/encyclopedia/index.php/Government)
    • Religion (http://www.academickids.com/encyclopedia/index.php/Religion)
    • Holidays (http://www.academickids.com/encyclopedia/index.php/Holidays)
  • Space and Astronomy
    • Solar System (http://www.academickids.com/encyclopedia/index.php/Solar_System)
    • Planets (http://www.academickids.com/encyclopedia/index.php/Planets)
  • Sports (http://www.academickids.com/encyclopedia/index.php/Sports)
  • Timelines (http://www.academickids.com/encyclopedia/index.php/Timelines)
  • Weather (http://www.academickids.com/encyclopedia/index.php/Weather)
  • US States (http://www.academickids.com/encyclopedia/index.php/US_States)

Information

  • Home Page (http://academickids.com/encyclopedia/index.php)
  • Contact Us (http://www.academickids.com/encyclopedia/index.php/Contactus)

  • Clip Art (http://classroomclipart.com)
Toolbox
Personal tools