Cross-site scripting is an ever-present danger on the web, to both consumers and businesses alike. Attacks can be carried out secretly without users even realizing it, and by the time holes are found and patched, it may already be too late. The majority of attacks happen because webmasters are either unaware of the problem, don’t know how to fix it, or do not see cross-site scripting as a problem; this grave mistake can prove detrimental to your business’s bottom line. Thankfully, there are ways to prevent these attacks and protect consumers and businesses from most, if not all, cross-site scripting attempts.
The motivation behind the actions of those committing the attacks varies. Some do it for fun, just to see if it can be done; some try to impress their peers; others have more vengeful or criminal reasons. Whatever the case may be, it is vitally important to understand what these threats mean to your business, where the vulnerabilities lie, and how attacks can be prevented.
In general, cross-site scripting attacks happen over the web, when malicious code is inserted into web forms and HTML pages where it would otherwise not appear. They can be used to steal confidential user information, misdirect users to illegitimate sites, corrupt database tables, or gain control of systems. The danger is magnified for users of systems where a single login provides numerous services, such as e-mail and web access to online software, because a single successful attack can compromise each service. There are several different types of attacks, and each has specific consequences that come with it, as well as associated solutions.
Another method of cross-site scripting involves e-mail spoofing, and is somewhat of a cross between the classic “Man-in-the-Middle” attack and regular phishing attacks. A hacker will send an e-mail to a user that appears to be from a particular website, and will even link to the real website. However, extra code is embedded in the link itself so that when a user clicks the link, the code executes silently inside the user’s browser, appended to the URL of the site visited. If the link goes to a log in page, the user’s login credentials can be sent back to the hacker, or the page’s output display can be changed to whatever the hacker wishes, depending on the malicious code used. Such code can alter the displayed page so that all form input, such as login credentials and billing information, is sent to the hacker’s server instead of the real server.
This type of attack can be thwarted by both users and webmasters. First and foremost, users can disable HTML e-mail and opt for all messages to appear as text only. When viewing HTML e-mails, you must be careful when clicking links that appear inside e-mails – even if an e-mail looks legitimate, it is always safer to close all browser windows, open a new one, and go to the appropriate website directly to find the information you need. Going straight to the source will severely hinder, if not completely eliminate, a hacker’s ability to inject malicious code into your browser. On the server side, the server should be configured to not allow extraneous code within the passed URL, such as that which would be placed in the address bar of the user’s web browser via a malicious e-mail link. Webmasters can protect their websites from this type of attack by validating all rendered code to ensure that no additional code has been added to the page.
Cross-site scripting can come from a variety of angles, for many different reasons, and have a virtually unlimited number of effects on both user and server systems. For these reasons, all webmasters and business owners should be aware of the dangers and what measures should be taken to prevent attacks.
William Bell is the Director of Security for EC Suite; a leading provider of credit card processing, affiliate management, wholesale bandwidth, and content protection and other e-commerce solutions.
Post Footer automatically generated by wp-posturl plugin for wordpress.