Category : Web Security
With the advancement in cyber technology, the cyber attacks are also increasing day by day. Today, I m going to discuss on one such cyber attack, which has become very common nowadays. If you are looking at the Title of my topic then you are right.Today I ll discuss about Cross-site ing attack.
What is Cross-site Scripting ?
Basically ,it is an attack technique in which a attacker tricks the Web site to display some malicious code , which Is executed In the victim’s web browser.XSS is performed on the trusted websites, as these sites are frequently and often visited by the users.The attack is not performed on the server ,but it is performed in the user browser.In this attack, Server is nothing but just a host , user is considered the victim.This attack can be very compromising, if once the attacker gets control over the user browser .He can hijack accounts,steal stored/saved passswords , intranet hacking and can even steal the saved cookies and browser history.
Scripts used in XSS are written in Java .
Note :XSS is in the list of OWASP TOP 10 .It is ranked at 3rd no in the list.
Owasp :Open Web Application Security Project is a Non-profitable community, which focuses in improving the security of the Softwares's.
Xss is Categorized in three parts :
· DOM based
Example : www.victimsite.com/abc.html#alert(“You are hacked “)/
Persistent : It is also called stored XSS attack.In this, the attacker injects code into the input fields or in the URL and the data provided by the attacker get saved in the server database.The malicious code got permanently stored.The attacker injects code in the comment box or where there is a user input.It is more devastating attack.
Non-Persistent (Reflected): This attack is also performed where there is a user input .It is the most common XSS attack, as it is easy. .In this, the attacker mainly tries to trick the user in visiting a malicious URL which he has sent to the victim.This attack is less harmfull .
DOM(Document Object Model): It is one of the most effective attack in XSS family.The attack takes place in the DOM of the page instead of the HTML framework.The attack is performed on a dynamic page. A page which is directly connected to server database.
Prevention of XSS attack:
Escaping Techniques :
Htmlspecialchar() function – we can use this technique as it escapes the html markup tags into html entities like :
· & is converted into ‘ & ‘
· “ “ is converted into ‘ " ‘‘ quota is converted into ‘'; ‘
· is converted into ‘ ‘
. is converted into ‘ > ‘
Now a days ,various encoding techniques are used to escape the xss attack parameters .Today UTF-8 encoding techniques is used for xss prevention.
Magic_quotes_gpc =on - It is a php setting.It escapes every single quote ‘ ,double quote “” and backslash \ .
These two techniques are well-known methods to avoid XSS, but these are also exploitable .
Proudly Operated from India
© 2016 Copyrights. All Rights Reserved