Cross Site Scripting (XSS)

What is cross site scripting? 

Cross site scripting “XSS” in short is a way using that hacker can inject the JavaScript into your web page.

Cross site scripting used to trick users into running JavaScript code and also used to steal the cookies data.

Let’s take a simple example to understand this, lets say you have the below URL and you are submitting the request to server using the GET method

URL:  Register.aspx?Email=abc@xyz.com

and after submitting this request your web site storing the same into database and also executing the same request server side as well as client side.

What hackers do, they change the URL like shown below and submit the same

Register.aspx?Email=<script>alert(“Gotcha!”);</script>

So, when you take this data from database or read it from query string then system will show the alert message with “Gotcha!” as the text.

This is the simple example, hackers can do many major activities and harm your web site and they succeed because “Cross Site Scripting” is done via another web site and since it is done using JavaScript browser allow it as browser trusts JavaScript.

Browsers also allow the JavaScript to access the cookies data, so whatever information you are storing into the cookies related to user hacker can hack the same, change the value and submit it back.

Solution to XSS:

Sanitize the dynamic data coming as input or that gets output to the browsers. This data can be in the form of HTML, XML, JSON, JavaScript, etc.

Sanitize the data while storing the same into database or retrieving it from database.

Sometimes HTML must allowed (Content Management System), use the concept of Black listing and White listing in order to allow / prevent the tags to be used along with content being displayed on the site.

Recommended solution is to use the White Listing solution for CMS tags. Apart from these tags sanitize everything else.

Advertisements

#cross-site-scripting, #xss