CROSS-SITE  SCRIPTING – BEG, BORROW, STEAL

By:

Shivani Mishra

MSCLIS (2007-09), IIIT-Allahabad

Dynamic websites have a threat that static websites don’t called “Cross site Scripting”. One of the pressing problems in the internet world is of Cross site Scripting . Cross site Scripting would potentially enable a malicious user to introduce executable code of his choice into another user’s web session. Once the code was running it could take a wide range of actions from monitoring the user’s web session and forwarding a copy to the malicious user, to changing  what’s displayed on the users screen. Even more  seriously the  script could make itself persistent so that the next time the user returned to the web site, the malicious user script would start running again.

Have u ever mistyped an address and received the message ,which said something like page not found? Chances are that you never gave it a thought and simply moved on to others site. However , when you encounter an error message like the two listed above ,you are actually witnessing a potential security breach-not necessarily against the site ,but rather against you directly.

The most vulnerable information be transferred on the internet is your password and your credit card information. Cross site Scripting  has a huge hand in misusing this information let’s look an example that explains  how information is mishandled with Cross site Scripting.

Consider this valid URL:

http://www.example.com /FILENAME.html

If the document “FILENAME.html” did not exist, the website could return error message such as---

<html>

404 page does not exist;FILENAME.html

…………………..

</html>

Notice that “FILENAME.html” is a string that you entered. The website has included it in the page return straight through to your browser.

Under normal conditions ,this may not seem like a major  problem. But the situation can change. You are browsing through an auction site where several options are posted. you are interested in the items of one particular store. you place your bid on an item from that store. You lend your name ,password and other relevant details. But the hitch here is that your information reaches the store directly. the store can access your information place bids on your name ,change your details and even block you from using your own account.

So what did the store do? The stores website offered a link to the auction site. the script behind  the auction site looked similar to this:

<a href= http://auction.example.com/<script>alert<’hello’></script>>click

The “FILENAME.html “ submitted to the auction site (auction.example.com) was,

<script>alert(‘hello’)</script>

The auction site then used its ordinary routines to generate an error page to you that read as-

<html>

404 page not found: <script>alert(‘hello’)</script>

……………………

</html>

Simple put, the store managed to “inject” a java script program into the page return to you by the auction site. The Javascript ran as through it originated at auction .example.com, and could therefore process events in that document. It also maintained communication with the store by virtue of scripting that the store had put in the link.

This was a simple example of how CSS can “Sniff” sensitive data from within a web page including password, credit card number  and any other arbitrary information you input. This is what goes behind the illegal fund –transfers that occur with in websites of bank.

Finally……………………….

Cross site Scripting is a serious problem, the solutions input validations and html escaping are simple but must be applied every single time. An application with a single overlooked form field is just as insecure as one that does not checking whatsoever.

The solutions to the problems require websites and website developer to review their code and verify that it address to secure coding practices .