Cross-site scripting (XSS) is a computer vulnerability usually found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.
When Netscape first introduced the JavaScript language, they realized the security risks of allowing a Web server to send executable code to a browser (even if only in a browser sandbox). One key problem with this is the case where users have more than one browser window open at once. In some instances, a script from one page should be allowed to access data from another page or object, but in others, this should be strictly forbidden, as a malicious Web site could attempt to steal sensitive information this way. In order to fix this problem, browsers introduced the same origin policy. Essentially, this policy allows any interaction between objects and pages that originated from the same domain and over the same protocol. That way, a malicious Web site would not be able to access sensitive data in another browser window via JavaScript.
Since then, other similar access-control policies have been adopted in other browsers and client-side scripting languages to protect users from malicious Web sites. In general, cross-site scripting holes can be seen as vulnerabilities present in web pages which allow attackers to bypass these mechanisms. By finding clever ways of injecting malicious script into pages served by other domains, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects.
Terminology
The acronym CSS was often used in the early days to refer to cross-site scripting vulnerabilities, but this quickly became confusing in technical circles because both Cascading Style Sheets and the Content-scrambling system shared the same acronym. Perhaps the first use of the abbreviation XSS was by Steve Champeon in his Webmonkey article “XSS, Trust, and Barney”. In 2002, Steve also posted the suggestion of using XSS as an alternative abbreviation to the Bugtraq mailing list. In a rare show of unity, the security community quickly adopted the alternative, and CSS is seldom used today to refer to cross-site scripting, although a few existing pages still use it this way.
Related vulnerabilities
There are several classes of vulnerabilities or attack techniques which are related, and worth mentioning:
- Cross Zone Scripting vulnerabilities, which exploits “zone” concepts in software, usually execute code with a greater privilege.
- HTTP Header Injection vulnerabilities, which can be used to create cross-site scripting conditions in addition to allowing attacks such as HTTP response splitting.
- Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user’s trust in a site, the attacker exploits the site’s trust in the client software, submitting requests that the site believes come from its own pages.
Licensed under the GNU Free Documentation License. It uses materials from the Wikipedia.
Leave a Reply