Is there a funny side to cross site scripting?

httpCross Site Scripting (or XSS) is one of the most common web-application attacks that we see today. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user, with the possibility of collecting some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.

The BBC have reported on an XSS attack, wherein, visitors to Spain’s EU presidency website have been greeted by an image of hapless fictional character Mr Bean instead of Spain’s Socialist leader. It would appear that many people in Spain, feel there is a strong physical resemblance between Mr Zapatero and Mr Bean. Now, it would appear that this XSS attack was not malicious, just a prank to poke fun.

However, XSS can and is widely used for more malicious purposes. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code. Any web page which passes parameters to a database can be vulnerable to this hacking technique. So, whilst this incident with Mr Zapatero is amusing, the fact remains that XSS is pernicious and dangerous technique and really is no laughing matter.

January 6, 2010 | Filed Under Security 

comments

Leave a Reply