Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is the most popular avenue for attack against the corporate internal network. XSS remains the most popular attack against the masses because it is easy to find and to launch, while the consequences of the attack can be devastating. Although the scope of this chapter is beyond simple XSS tactics, no discussion of client-side exploitation would be complete without a mention of XSS. This section assumes that the reader is familiar with the concept of XSS. The goal of this section is to illustrate how sophisticated attackers today are able to leverage the most out of XSS vulnerabilities.

The amount of data that is passed between users and online applications is staggering. It seems that every significant business function has a web interface to manage various business actions and peruse data. The enormous amount of sensitive information passed in online transactions makes online data theft appealing and lucrative. Of the various online attacks, XSS remains one of the most prolific. Although numerous XSS attack techniques exist, this section will cover a few examples of attacks that focus on stealing user information. These attacks will progress in complexity and can be used as a foundation for more advanced, targeted attacks.

Note

If you are not familiar with XSS, the Wikipedia page at http://en.wikipedia.org/wiki/Cross-site_scripting is a good resource.

Stealing Sessions

Attackers often use XSS to steal user sessions. The following is ...

Get Hacking: The Next Generation now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.