Wednesday, May 6, 2009

Anatomy of an XSS Attack

Cross site scripting (XSS) flaws are a relatively common issue in web application security, but they are still extremely lethal. They are unique in that, rather than attacking a server directly, they use a vulnerable server as a vector to attack a client. This can lead to extreme difficulty in tracing attackers, especially when requests are not fully logged (such as POST requests). Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities.

This is a unique effort written in the 1st person, as a cybercriminal, to exemplify the grave harm that can come to users and consumers when cross-site scripting (XSS) vulnerabilities are left unmitigated.

Download from holisticinfosec

No comments: