Hello mo chairde, This blog post has potential to get me in trouble. It's naughty, but I feel it's essential people are made aware of how widespread and common Cross site scripting vulnerabilities are. They have the potential to be malicious and this is why people need to learn how to spot them. Not everyone is as web savvy as they should be yet most of us spend a significant amount of time online. I will do my best to explain in simple terms how to spot these common attacks. I will also provide some tips to developers how to mitigate them.
Cross site scripting (XSS) is easily the most common web based vulnerability. For certain types of xss, The dangers are quite significant. The two main types are reflective xss and persistant xss. In this post I will only be discussing reflective, the less dangerous and more focused attack. A reflective xss attack normally involves an attacker sending or posting a malicious url to the victim. When the user visits this crafted url, something malicious can occur.
How can you recognise these malicious urls or links?
The easiest thing you may first recognize is html tags in a url. (Ex.http://blah.com/?s=
Firefox has a lot of great plugins and is a great web browser, sadly it doesn't have as good protection as chrome. There are some methods to bypass this on chrome though. If you aren't web savvy I'd suggest using chrome as it has methods of mitigating these attacks.
Just how common are these attacks?
I'd like to say they aren't everywhere but after some investigation it seems they are. I wrote a short script that inserts "">