Web Site

Internet-description.com

» Internet » Topics begins with C » CROSS Site Scripting

Printer Friendly FormatPrinter Friendly Format
Bookmark page - CROSS Site ScriptingBookmark this page
Back to InternetBack to "Internet"
Page modified: Saturday, June 24, 2006 10:36:48

CROSS Site Scripting (XSS) designates using computer safety gap, as information from a context, in which they are not trustworthy, are inserted into another context, in which they are as trustworthily classified. From this trustworthy context then an attack can be started.

The designation "„CROSS Site "“is derived from the kind, like this attack is web page-spreading implemented (for one of the aggressor checked side stands for example prepare hyper+left, which to the allegedly trustworthy Website of a usually notionless third party leads).

CROSS Site Scripting is shortened sometimes also "„CSS "“, has however nothing with the Cascading Style Sheet technology to do, which far frequent CSS is called. In order to avoid mistakes, therefore the abbreviation XSS should be used.

Function mode

Behind the term CROSS Site Scripting hide themselves to two in principle different attack vectors, which are confounded again and again or regarded undifferentiatedly. It concerns thereby the following two:

Clientseitig

With the clientseitigen CROSS Site Scripting code on side of the Clients one implements, for instance the Webbrowser or the E-Mail program. Therefore the aggressor must his victim a prepared hyper+left send, he for example into a web page merges or in a E-Mail dispatched. Frequently URL Spoofing techniques and coding procedures are used, in order to let the left appear inconspicuous or trustworthy.

A classical example of clientseitiges CROSS Site Scripting is the delivery of parameters to a cgi script of a Website. Like that it is perhaps possible to send manipulated data to the user. These data are often code of a clientseitigen script language, which are handed over as parameters to a Website. If this code emerges then in the web page sent back by the server again, it can lead to the fact that the Webbrowser of the user implements this code. This can be achieved, as data are entered into a form on the side, which normally serves as input windows for a Web forum, or as URL with the code is published as parameter, on which the user click (e.g. in enamels or in the Usenet).

Dangerously this, if the Website, on which the code was accommodated, is equipped in the local Browser with special safety rights (privileges). The code can do then as a function of the power of the script language different things, which are possible with the rights of the local user. Alternatively the code can steal also from Cookies with announcing information.

Since for comfort reasons on Microsoft Windows systems the local user is equipped with administrator rights frequently, this is already a potenziell very dangerous constellation. In addition, without administrator rights the aggressor can try to attain by utilization of safety gaps during the execution of the script language concerned these rights.

Server-laterally

With the server-lateral CROSS Site Scripting one tries to implement code on the server. This is possible e.g. by PHPs "„include "“- instructions. Under PHP it is possible to merge files of other computers thus also from a computer of an aggressor. Some programming languages such as Perl offer the possibility of implementing locally programs over a Shell. If a local program with user-manipulatable parameters is called and is filtered not accordingly the parameters, it is possible to call further programs. So for instance files can be changed or sensitive data be spied.

Recently Webspider, like the Google search robot, are abused, in order to implement server-lateral XSS and SQL Injection attacks. For this prepare left on a web page one publishes. As soon as Webspider follows this left, he releases the attack. Thus the IP address of the Spiders and not those of the actual aggressor in minutes of the attacked system emerge.

Protection

In order to protect an application of Web against XSS attacks, all detailed parameters must be regarded as uncertain and be examined accordingly before the use. Here the quotations of a Microsoft coworker apply, who client a book Never trust and already called its next universe incoming DATA is EVIL. How can one explain this Any data, which were once with the Client, i.e. with the visitor of the Website, are potenziell contaminated. So itself for example a member in a forum could hallo<script>alert ("“test"”); call </script>.

Become the control characters contained in the stringer (<> "“) and tags (<script>) before the expenditure at the Browser into HTML does not translate (in PHP for example by htmlspecialchars ()), then the Browser implements it as Javascript. The viewer of the side sees only as announcement hello - however a nervige box with the writing receives "„to test "“. Possible here would be e.g. also to be inserted in the user name Javascript code with its assistance one the Sessioncookie of the user to a stranger computer sends (refuge <script> (new image) .src= '' </script>). Logically a HTML input of a user may not be sent back unexpectedly to other users. Also the prohibition <script>-Tags does not lead to success, since also various other tags for XSS can be abused.

Through one switched off from clientseitige XSS attacks protect itself from Javascript (Active Scripting) in the Browser can. However some Browser offer further attack vectors.

See also

  • SQL Injection
  • Computer security
  • Application of Web
  • CROSS Site Tracing

Related links


Printer Friendly FormatPrinter Friendly Format
Back to topBack to top
Back to InternetBack to "Internet"
Back to topBack to top
Back to InternetBack to "Internet"

Related Websites

We found here 6 related websites.

Back to topBack to top
Back to InternetBack to "Internet"
Page cached: Wednesday, July 5, 2006 23:53:32
Valid XHTML 1.0!  Valid CSS!
Page copy protected against web site content infringement by Copyscape