Cross site scripting

 Cross site scripting (XSS) 

What is an XSS attack? 

An XSS (cross site scripting) attack relies on improper programming on a web server. First the attacker would look for input boxes. These could be things such as comment boxes, URLs, posts, and messages. Once the attacker finds a vulnerable input field, they craft a malicious payload they want to inject into the web server. This could be something like stealing user IDs, passwords and other sensitive information. Usually, this payload is in the form of JavaScript code. Next, the hacker injects the payload into the web server so that when a legitimate user tries to access it, their data is stolen and sent to a server controlled by the hacker. 

How to stop XSS 

The main prevention method for XSS is making sure all your inputs are sanitised. This means that input variables should be properly handled and not directly put into strings. A company may also implement a content security policy to block applications that could be vulnerable to cross site scripting. 

Real world XSS attacks 

    • Myspace ‘Samy’ Worm (2005) - Samy Kamkar, a security researcher, executed one of the most famous XSS attacks by creating a worm that spread across Myspace, a popular social networking site. Kamkar injected JavaScript code into his profile, which, when viewed by other users, added them as friends and promoted his profile. 
    • Twitter Worm (2009) A hacker found an XSS vulnerability in Twitter that allowed them to exploit the “onmouseover event with links. This allowed them to retweet the worm just by hovering over it. 
    • Yahoo XSS (2017) - Yahoo’s popular email service was affected by a persistent XSS vulnerability. Attackers could send malicious emails containing JavaScript that, when opened, would execute in the recipient’s email client. 

 

Are XSS attacks illegal? 

Yes. XSS attacks break the computer misuse act as they intend to cause harm to a computer/computer system and steal data. Most of the time, XSS attacks link to malware which is also illegal to distribute and create with intent to harm. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more