Welcome!
If you have an account, please:
Log in
Yes, it's THAT book!

Drop your email here to stay informed of the status of my "tell most" book about the National Security Agency:

I want info first...

Fair enough. Click the thumbnail below:

Employees are allies, not the adversary
How can I help you?
Contact Jeremy
Recommendations

Here's something that

I, Jeremy Duffy, actually recommend and think is worth checking out.
No web-bugs, no bs, just a legit recommmendation that I have personally evaluated before allowing it to be listed here:

Think something's here that shouldn't be? contact me!

Cross Site Scripting

Monday, September 7th, 2009 (No comments yet)

Cross site scripting (called XSS for short) is when a hacker manages to get some of their code posted to a well-known webpage like Amazon or CNN. The problem comes because people think they can trust those sites and also because those sites get so much traffic that the hacker's code can affect more people.

How You Get Exposed to XSS

Without getting specific, the hacker usually gets their code posted by exploiting poor security practices in functions like comments, product reviews, or they can just buy ad-space through one of the banner ad services the target website subscribes to. So to review, you get nailed because the website either isn't paying attention to security or because they don't bother to only promote services they support (like I do) and instead subscribe to completely random advertisements through an service that sells space (basically like a billboard company).

What XSS Does

The main thing XXS does is steal your cookies. Since your cookies can contain interesting information about you like your name, address, phone number, credit card number, or anything else the site you're on knows about you (if that site stored the information in a cookie). More importantly, if you use the "Remember Me" feature of a page so you don't have to log in every time (which is done via cookies), then if a hacker steals your cookie, they can login AS YOU without knowing your name and password.

That's bad. But it gets worse

Did you ever notice that when you are on a page like Facebook or Paypal and you click some command like "Send money" or "Add friend" that all the data that is needed for the command is listed right in the URL in the address bar?

http://www.facebook.com/home.php?addfriend=83763

In this fictional, but approximate example, you can see the command "addfriend" followed by the id number of the friend to add. If you are logged into your account and you type the correct url similar to the one above, you can command Facebook and other sites to perform actions simply by knowing what codes to use.

The problem comes in with XSS. If a hacker can write the code to load in image into a comment, a review, or advertisement and you load it by loading the page the code is on, here's what they can do. Instead of telling the image to load an actual image, they can put the url command above in the image tag instead. This does two things

  1. Because it's an image tag that doesn't actually load an image, you won't even see that it's there.
  2. Because they used url commands, if you are currently logged into that service when you load the page with the hacker code, your browser will execute the command.

Granted, all the above code will do is force you to friend me on Facebook which might not seem like a big deal to you, but what if I did this instead:

http://www.paypal.com/home.php?sendmoney=500.00&source=myaccount&destination=hackeraccount

So essentially, just by loading the wrong webpage, you could lose your money in an instant as long as you're logged into that service in another window or tab.

XSS Defense

Most major web services have handled this issue, but not all of them have. Until the web-coding standards address the vulnerability that allows XSS in the first place (variable data in image calls), your best defense is to never use the "Remember Me" feature of a website and always log out of services when you're done with them (especially before browsing around in another window or tab).


Share This

Have a Comment or Question?

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

web posting dangers Tutorial
|INDEX|next: Spyware Scanners
Chat, Instant Messaging, Forums, and Internet Blogs are fun, but make sure you post carefully.
Sometimes spyware gets in your computer and the anti-virus won't stop it. Use a spyware scanner to find and remove spyware and adware.
Use a software firewall to detect bad code on your computer when it tries to connect to the Internet.
Always keep your system up to date with security patches or none of the rest of your security software will matter.
Use an encryption tool to protect your important data when storing or transmitting it.
Switch to Firefox for your web browsing and you'll be better protected from Internet threats.

... or check out any of my other guides and tutorials by clicking here!

Spyware Scanners

Learn how to detect and remove spyware and adware using a free scanning tool.

[Click for full description]

Software Firewall

Learn what a firewall is and why you want one on your computer.

[Click for full description]

Operating System Updates

Make sure to keep your operating system up-to-date with security patches or else none of the rest of your security software will be able to protect you.

[Click for full description]

File Encryption

Learn how to protect your important files on your computer or when transmitting them with free tools for file encryption.

[Click for full description]

Mozilla Firefox - Internet Browser

There are many browser choices out there. Read why I think Firefox is one of the best.

[Click for full description]