Cross-Site Scripting (XSS)

As popular and helpful as cookies are, it’s becoming increasingly popular for people to turn off any cookie support. The reason is understandable: we store anything, from usernames and passwords to credit cards and other sensitive information, in stores of text that aren’t all that difficult to access. (Well, depending on how vulnerable—or not—a web site is.) The reason, though, is also not necessarily well founded. One of the greatest areas of vulnerability associated with a web site is known as a cross-site scripting (XSS) attack.

Here’s how an attack happens: you receive an email, or there’s a link in a web site comment or such—anything that allows anonymous or semianonymous content. The link is to a legitimate site that takes cookies. Attached to the link is a set of characters, perhaps in hexadecimal format. We’re used to long and unreadable URLs, so we don’t make much of it. However, attached to that URL is a script that can trick the browser into bringing up whatever cookies are set between the person and the site. These, then, can be attached to the end of a document.location redirect, which basically sends this information to the new site.

This site then uses this information to emulate the site you’re expecting to access. You’ll continue to input valuable information, all the while the server site is gathering up your password, bank account, credit card information, etc.

This is what happens, more or less, with the email-phishing ...

Get Learning JavaScript now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.