If you can convince a browser to run a script, then you can control a significant amount of a user’s working environment. In this video, you’ll learn about cross-site scripting and how XSS attacks can be used to steal right from under our noses.
Cross-site scripting is often abbreviated as XSS. We don’t use the abbreviation CSS, because we’re already using that for Cascading Style Sheets when working in HTML. So whenever you see XSS we’re really referring to a cross-site security flaw, at least originally it was a cross-site security flaw where a browser allowed you to send information between sites if you had both of those windows open in your browser.
One type of cross-site scripting vulnerability is a non-persistent cross-site scripting attack. This is one that’s also referred to as a reflected attack. Take for example a web search screen. You’re able to input information and search for things. But what if you could also put a script into that input box, and the script would perform a function? Maybe it took information about a session ID, it took a user’s credentials, it took cookie information, and it sent those through an email to the bad guy all because you simply ran a search into a normal search box.
This attack takes place in the user’s browser. You don’t need a third person, there doesn’t need to be a server standing by, this all happens in the browser window. This executes, and the bad guys are able to steal this information usually without any knowledge that it’s occurring on the front end. All of this happens with scripting behind the scenes, it’s mailed off or sent off to the bad guy, and now they can gain access to information that normally they would not have access to.
Here’s how a number of vulnerabilities, including a cross-site scripting vulnerability, allow you to hack an automobile. This was discovered in June 2017 by Aaron Guzman. He’s a security researcher, and he was looking at Subaru’s front-end website that allows you to customize things on your car. Whenever you authenticate to the Subaru website, the user’s browser receives a token.
Make sure that you keep your browsers and other web-based applications updated on your workstation. There are a number of browser vulnerabilities that might allow cross-site scripting, and by updating your browser you can always make sure that they are patched to the latest version. And if you’re a developer, make sure you’re validating input. The end user should not be able to store scripts or input scripts into your application. And if you can stop it at the application, then you know the cross-site scripting attack is not going to work.