Cross-Site Scripting (XSS)
As popular and helpful as cookies are, itâs becoming increasingly popular for people to turn off any cookie support. The reason is understandable: we store anything, from usernames and passwords to credit cards and other sensitive information, in stores of text that arenât all that difficult to access. (Well, depending on how vulnerableâor notâa web site is.) The reason, though, is also not necessarily well founded. One of the greatest areas of vulnerability associated with a web site is known as a cross-site scripting (XSS) attack.
Hereâs how an attack happens: you receive an email, or thereâs a link in a web site comment or suchâanything that allows anonymous or semianonymous content. The link is to a legitimate site that takes cookies. Attached to the link is a set of characters, perhaps in hexadecimal format. Weâre used to long and unreadable URLs, so we donât make much of it. However, attached to that URL is a script that can trick the browser into bringing up whatever cookies are set between the person and the site. These, then, can be attached to the end of a document.location redirect, which basically sends this information to the new site.
This site then uses this information to emulate the site youâre expecting to access. Youâll continue to input valuable information, all the while the server site is gathering up your password, bank account, credit card information, etc.
This is what happens, more or less, with the email-phishing ...