Table of contents
- What is cross site scripting
- What is cross site request forgery
- Who is to blame
- How can users protect themselves
- How do you know what type of login a site is using
- How can Web sites protect themselves
- Cross site scripting
- Escaping data
- Never trust URLs you are given
- Being careful with scripts
- Using HTTP-only cookies
- Using HTTP authentication
- Storing safer cookies
- Allowing only certain HTML input
- Using BB code
- Embedding content from other sites
- Cross site request forgery
- Encode a session ID in the URL
- Check referrers
- Prompting for passwords
- Pass unique IDs in form submission
- Secure sites
What is cross site scripting
Cross site scripting (XSS) is where one site manages to run a script on another site, with the privileges of you, the user.
In many pages, this would be completely harmless. But now imagine that you have logged into site A, and that site has used a session cookie to store your identity. If site B manages to make you load a page on site A containing a script they have injected into it, that script could take the cookie for site A, and send it to site B. The person running site B can now use your cookie in their own browser, and can now use site A, making it think they are you.
In the case of site A being a blog or forum, they could erase or alter your posts, add new abusive posts, or erase your account. In the case of Web mail systems, they could send abusive email to your colleagues, delete any emails, or read all the passwords you have been sent in your email, which may give them access to even more systems. In the case of it being a banking site, they could make large cash transactions using your bank account. In the case of banking or shopping sites, they could obtain your banking details, and use them to make their own purchases.
XSS can also be a problem from users on shared sites, such as forums or blog comments, where users may find a way to inject scripts into page content, where the exploit can survive much longer than just a single page load.
Cookies are not the only target of cross site scripting, but they are a very easy way to exploit a simple mistake made by the site author. In some cases, it may be possible to inject a script onto the login form of the site, and convince you to fill it in, and then they can make it send them your password. Or they could simply make it load another page on the site, submitting form data to it, or using other means to perform actions on your behalf.
Unlike phishing scams where a site tries to trick users into thinking it is another site, XSS is the real site, not a fake. It has just allowed another site to run a script on it, in the context of one of its users.