XSS Hole

For example, the user may come across a hyperlink in a Web application pointing to some malicious content. The user may click the link and be led to another page containing some advertisement or email bulletin. This page gathers user information in the form of a password. It also generates a malicious output page that indicates some fake response tailored to appear as genuine to the user. Either the data entered by the user can be misused or the user's session can be hijacked by cookie theft. Based on the sensitivity of the data collected, cross-site scripting can range from a mere vulnerability to a serious security loophole. After exploitation of the XSS vulnerability, the attacker may bypass the organization's access control policies.

The concept of cross-site scripting is based on the same original policy. Same original policies state that a Web browser using JavaScript can access different properties and methods belonging to the same site without any restrictions. Malicious attackers can exploit the concept of the same original policy by injecting malicious code into a website using JavaScript. When the Web pages are viewed by users, attackers may gather some useful user information such as a username or password.

As per statistics gathered by Symantec in 2007, cross-site scripting accounts for 80 percent of all the security attacks executed using computers. There are three types of cross-site scripting:

• Non-Persistent XSS: The non-persistent type of cross-site scripting is seen during HTTP requests in which the client embeds data into an HTTP request. When the server uses data sent by the client to generate pages, the XSS holes can be active if the request has not been sanitized properly. HTML pages are composed of both content and presentation. If the malicious user adds some content that has not been validated, then markup injection occurs. The user will compromise his security by entering information requested by the malicious code. The attacker can mislead the user to a different URL, which may contain a more sophisticated virus and acquire important user information.

• Persistent XSS: The malicious content injected by the attacker is saved on the server side and all further client requests access the modified content, thereby posing a serious security risk. For example, some forums allow the user to post HTML formatted messages. Therefore, an attacker can embed a JavaScript code to present a malicious text box to gather information such as a password. The attacker may also configure the JavaScript code to save and transmit every password entered in the text field.

• DOM Based XSS: The document object model (DOM) is a tree structure that represents all the tags that appear in a document that conforms to XML standards. DOM is used in JavaScript to access and manipulate HTML tags and the content within the tags. An attacker can inject a malicious piece of JavaScript code that contains appropriate DOM statements to access and modify important user information. For example, the attacker may use DOM to redirect the user information by an improper submission to a third-party malicious website.