Cross site scripting attacks are now mostly referred to as XSS attacks. A lot of websites have been found with XSS vulnerabilities including yahoo, YouTube and even some other popular websites. XSS attacks are implemented when a website has XSS vulnerabilities.
It took me months to decipher what this attack is really about. Even when I was reading books on it, I felt I was seeing Latin. Anyway now I’ve understood a whole lot about XSS attacks and how they work. It is very simple and interesting and I believe you won’t just get what I will give you here in handy anywhere.
What is XSS attack?
This attack is also known as code injection and from that we can infer that XSS attack is the exploitation of web servers by inserting codes into the web pages. It was formerly called CSS as an acronym for cross site scripting but I think because of the existence of CSS as cascading style sheet, it was changed to XSS where the “X” represents a cross. Most times, people use the search pane to do this. In an XSS vulnerable website, when a code like <script>alert(‘you are vulnerable to XSS’);</script> is inserted, a dialog box appears showing “you are vulnerable to XSS”. If this can be done, then you can implement all other XSS exploitations on that website.
Few years back, the prestigious yahoo website was vulnerable to this attack. Then we hackers will simply inject the java script below into the address bar:
javascript:(function(){var%20s,F,j,f,i;%20s%20=%20%22%22;
%20F%20=%20document.forms;%20for(j=0;%20j<F.length;%20++j)
%20{%20f%20=%20F[j];%20for%20(i=0;%20i<f.length;%20++i)
%20{%20if%20(f[i].type.toLowerCase()%20==%20%22password%22)
%20s%20+=%20f[i].value%20+%20%22\n%22;%20}%20}%20if
%20(s)%20alert(%22Passwords%20in%20forms%20on%20this
%20page:\n\n%22%20+%20s);%20else%20alert(%22There%20are
%20no%20passwords%20in%20forms%20on%20this
%20page.%22);})();
This was used to find password behind asterisks of anyone who has used his/her email account on that browser in that computer.
A scenario of how it works: Jeffrey uses his PC to check his yahoo account and then logs out. Simply because Jeffrey had checked the “remember me” check button on the yahoo password authentication page, it shows his email and his password in asterisks or big black dots. Once the jscript above is inserted in the address bar, Jeffrey’s password will display to me in a dialog box. This was used for a long time before yahoo fixed this error. However, you may still find a tutorial on how to hack yahoo accounts with this strategy but here I am telling you that it is stale and it can’t work anymore.
I don’t know much about how it happened with YouTube but I know I’ve heard severally about XSS vulnerabilities found in YouTube.
There is a lot more you can do with XSS which I will explain in latter posts so I will just list some other ways you can implement a cross site scripting attack.
· It can be used to make cookie grabbers- with cross site scripting, you can pretend to be a website and steal cookies from some internet users.
· It can be used to deface web pages
· It can be used for phishing
To find XSS vulnerability in a website, you can use vulnerability scanners like acunetix, jsky, and there are so many others. You can even write your own program to find these vulnerabilities.
0 comments:
Post a Comment