Web security – XSS attack

As one of the commonly seen attacks which pose great risk to web security, XSS attack prevention is a long-term concern for all web users. How much do you know about XSS attack? Here, we'd like to make an introduction to XSS attack.

XSS, short for cross-site scripting is a kind of technology which enforces website to echo executable codes provided by attackers and makes user explorer to load. Unlike the vast majority of attacks involving attackers and victims only, XSS relates to attackers, clients and websites. Via XSS attack, malicious users can steal client cookies or sensitive authentication information, and then interact with websites under clients' name. Moreover, via XSS attack, malicious users can gain sensitive information which may be included in explorer cookies such as user name and password. Additionally, attackers can tamper web pages so as to make profits. As statistics suggest, one third of investigated 10297 websites have XSS bugs. Therefore, users should attach great importance to protect web security by preventing XSS attacks.

Hackers usually implement XSS attack through three ways: emails, web server storing malicious codes and user explorer. Firstly, malicious users can add some special characters such as foreign characters to a general URL website, and then those characters will timely inform the web server which will run available scripts. For instance, if attackers have added such kind of characters into your e-bank website, and emailed you. Moreover, you click the website link, confirming the legality of the received email. In this condition, you explorer will send the script to certain web server, and all explorer cookies and e-bank login information will be intercepted by the malicious codes running on the web server. Then, attackers can log in your e-bank with the intercepted information.

Moreover, XSS attack may store malicious codes into a web server. Supposing that attackers logged into an e-commerce website, and send a message including XSS, and a few days later, you log into the same website and read the message. At this time, the script will steal all your explorer cookies and login information and then send such information to criminals.

Implementing XSS attack aiming at web explorer, attackers can leave a virus-infected Flash file to the website you are visiting. Once your explorer downloads the Flash, the file will trigger a cross-site script. In such cases, attackers are able to know all the information on your explorer.

If users want to prevent XSS attack so as to protect web security, they can take the following tips: Firstly, directly ignore web links. For instance, if website A is linked to the website: somerandomsite.com/page, but users want to visit the linked website, they had better not click the web link. Instead, look up the website via search function. This way can effectively prevent XSS attack embedded in linked website, but it fails to work when encountering content-sharing websites. Also, users can disable scripting language such as JavaScript in explorer to protect web security, but some excellent functions may get unavailable.