Nowadays hacking has become so easy that even children can do it and one of the most prevalent forms of attack is Cross Site Scripting (XSS). I will briefly explain what this form of hacking is and hopefully by the end of this post you should be able protect your applications from such attacks.
Persistent Vs. Non-Persistent XSS
Non persistent XSS is a different kettle of fish as it involves modifying the URL to embed scripts directly into the HTML. Say for instance the URL parameter “&name=” is used in your application to simply print out the value without any processing. Then a malicious user could modify the value of this parameter to include some devious scripting e.g. “&name=<SCRIPT>….</SCRIPT>”. Once again this can be prevented by cleansing any URL parameters that are used for creation of HTML.
Cross Site Request Forgery (XSRF)
XSRF is a more serious exploitation of cross site hacking technique. For example if you are using an online bank to transfer money and then leave the site without logging out your session will still be active. If you subsequently view a mischievous website that has an html element which knows your session is still available then it can be used to perform an action on the banks website without you even knowing. The html element might look like this:
<img src="http://www.mybank.com/withdraw?account=current&amount=1000000&to=Fred&accnum=12345678">. Banks are now starting to be more aware of cross site requests and most are now requiring the use of a card reader to make withdrawals. But another simple way to stop this from happening is to log out of your bank account when you are finished!
What can I do?
So hopefully, when developing applications, you will now be aware of the threat that XSS poses, but the trick is to be clean! However you must also be aware that it is out there and when browsing the web be vigilant at all times.