One of the most common website attacks that most businesses have never heard of.
 |
| By: Brand Barney |
Want to see more vids like this? Subscribe on YouTubefor more security tips.
How does cross-site scripting work? Here’s an example of one type of XSS.
- The hacker finds a legitimate webpage with an input field. Input fields could range from a first name field to a credit card field.
- The hacker checks if the webpage is vulnerable to cross-site scripting. For this type of attack to work, the web application must use the data the user enters and echo it back to the user. For example, if you sign in with your username (say, example123) and the webpage says something like, “Welcome example123!”, that webpage is echoing your data back to you.
- The hacker embeds malicious script. Based on the JavaScript they enter in the comments fields, hackers can capture the keystrokes of the user, steal usernames or passwords entered into the fields, or even copy the entire webpage and redirect users to a fake webpage.
- The hacker sits back and waits. When a user visits the web page (usually through a bad URL), the JavaScript executes on his or her browser (stealing all manner of sensitive data). Users usually have no idea this is happening.
Is my website vulnerable to cross-site scripting?
Possibly. I estimate that 1/3 of all websites are susceptible to XXS.XSS is a huge flaw in many websites if left untested and not properly avoided.Tweet
TweetHow to stop cross-site scripting on your website
- Run external vulnerability scans. Vulnerability scans help locate coding errors where XSS vulnerabilities may occur.
- Talk to your web developer and make sure your site is properly coded with security in mind.
Brand Barney (CISSP) is a Security Analyst at SecurityMetrics and has over 10 years of compliance, data security, and database management experience. Follow him on Twitter and check out his other blog posts.