As one of the commonly seen attacks which pose great risk to web security, XSS attack prevention is a long-term concern for all web users. How much do you know about XSS attack? Here, we'd like to make an introduction to XSS attack.
XSS, short for cross-site scripting is a kind of technology which enforces website to echo executable codes provided by attackers and makes user explorer to load. Unlike the vast majority of attacks involving attackers and victims only, XSS relates to attackers, clients and websites. Via XSS attack, malicious users can steal client cookies or sensitive authentication information, and then interact with websites under clients' name. Moreover, via XSS attack, malicious users can gain sensitive information which may be included in explorer cookies such as user name and password. Additionally, attackers can tamper web pages so as to make profits. As statistics suggest, one third of investigated 10297 websites have XSS bugs. Therefore, users should attach great importance to protect web security by preventing XSS attacks.
Hackers usually implement XSS attack through three ways: emails, web server storing malicious codes and user explorer. Firstly, malicious users can add some special characters such as foreign characters to a general URL website, and then those characters will timely inform the web server which will run available scripts. For instance, if attackers have added such kind of characters into your e-bank website, and emailed you. Moreover, you click the website link, confirming the legality of the received email. In this condition, you explorer will send the script to certain web server, and all explorer cookies and e-bank login information will be intercepted by the malicious codes running on the web server. Then, attackers can log in your e-bank with the intercepted information.
Moreover, XSS attack may store malicious codes into a web server. Supposing that attackers logged into an e-commerce website, and send a message including XSS, and a few days later, you log into the same website and read the message. At this time, the script will steal all your explorer cookies and login information and then send such information to criminals.
Implementing XSS attack aiming at web explorer, attackers can leave a virus-infected Flash file to the website you are visiting. Once your explorer downloads the Flash, the file will trigger a cross-site script. In such cases, attackers are able to know all the information on your explorer.