Cross-Site Scripting, Explained

I’ve seen many references to “cross-site” scripting attacks in the past few years. Almost every software out there has had to release some kind of security update to protect (it’s users) from this type of vulnerability.

Since WordPress 1.5.1.3 came out (to address this and other flaws), i figured i’d read up a little more on what cross-site scripting actually is, the risks, and how to protect against it.

Gulftech (R&D) does a good job of explaining everything [ in technical terms ] in an article entitle: “When Small Mistakes Can Cause Big Problems“. Here’s the low down, in non-tech lingo..

What is it: When a link (or form for that matter) on a website you visit can actually harm you (ie: put financial and personal information at risk). The problem begins with the site you visit (which might be running vulnerable software), but is then transfered to your browser with the click of the mouse. Because “the problem” is coming from one source (untrusted site) that has injected code into pages sent by another source (trusted site), this vulnerability has been described as “cross-site” scripting.

The risks: As always, the internet is about trust relationships. The risks increase when sites we’ve come to trust and use everyday become vulnerable. The first reason is because we’re obviously less suspicious of sites we’ve been to before, and might let our guard down enough to click a bad link. The second reason builds off the first in that the data stored on your favorite “trusted” sites is much more sensitive than any information you might put on some site that you weren’t sure you trusted.

So actually, it’s the trusted sites that you’ve got to be the most careful of. I’ve been saying the same thing about email for some time now. Don’t ever open emails from someone you don’t know, but be even more suspicious of emails (and attachments) from people you do know. Just think before you click.

Best defence:

  1. disable scripting support in your browser (some sites may not display properly)
  2. think before you click (look out for really long, weird URLs)
  3. don’t check off “remember my password” on forms (your just asking for trouble)

Other references include:
» CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
» Cgisecurity.com: Cross Site Scripting questions and answers
» perl.com: Preventing Cross-site Scripting Attacks

Comments 3

  1. Kasie Brogdon wrote:

    Ultra Garcinia Cambogia

    Posted 21 Dec 2016 at 7:02 pm
  2. Pauletta Forte wrote:

    timberland style boots

    Posted 21 Dec 2016 at 7:08 pm
  3. Domenic Tattersall wrote:

    1/2/2017 Appreciate techblog.touchbasic.com– very easy to navigate and lots to think about!

    Posted 02 Jan 2017 at 8:19 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *