The Threats Behind Cross Site Scripting Computer Science Essay

Published:

Cross Site Scripting is also referred as XSS; it's a form of security vulnerability in computers which takes place when a web application collects data normally collected in the form of a hyperlink which has been injected with malicious content. It usually originates in web application and makes it possible for malicious attackers to instill into web pages, client side script. XSS exploits are nowadays the most common vulnerabilities in web applications and almost all application vulnerabilities are accomplished through 3 regular attack vectors; stored, reflected and advanced. The outcome of cross site scripting is similar in spite of the vector used. ,,,,,,,,,, These outcomes consist of site redirection, installation as well as execution of malicious code, session cookie hijacking, account compromise, modification or revelation of files. The Unicode method is often used to encode malicious code and tags so that the html content or the link is obfuscated to the end user who's browsing the website.

Lady using a tablet
Lady using a tablet

Professional

Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

Even with the use of trace back techniques its normally very hard to identify the origins of a cross site script since the vulnerable server facilitates the injecting of malicious code into the browser of the user; therefore Attackers use cross site scripts which have been exploited so as to bypass any access controls, for example similar origin policy. Close to eighty percent of security vulnerabilities which were documented by Symantec in 2007 consisted of cross site scripting.

Cross site scripting can pose a serious threat to online businesses. It's common for genuine shopping websites to become injected with malicious script which in turn redirects customers to an identical page which is not authentic. A single cross site scripting vulnerability in a business application of any kind can do extensive damage. Even though such an attack originally hits a single user, it can rapidly spread from the browser of the victim to many other operating systems. At the individual level a victim of cross site scripting can lose all his life's savings due to identity theft. Malware programmes such as cross site scripting attacks have replace viruses due to their ability to trick users and access financial information. Cross site scripting attacks have become an online epidemic and the antimalware & antivirus industry don't seem to be able to keep up.

Cross site script attacks pose great danger to organizations and businesses. They have greatly contributed to theft of organization secrets not only for malicious reasons but in order to profit from selling organization secrets to competitors. If organization systems are not sufficiently protected against cross-site script attacks it can lead to theft of internal messages which can be used to defame employees who are high ranking; the larger the company, the greater the potential damage.

According to a study done by Info Week Research, malware such as cross site scripting attacks cost businesses in America approximately two hundred and sixty six billion dollars; that's close to three percent of national gross domestic product. McAfee Active defense unit released a report stating that 2015 sixty five percent of the online businesses loses will be caused by cross-site scripting attacks. In addition, xss attacks are mostly spread through web application such as email. This is one of the biggest mediums of communications in companies today. So when companies slowly shift away from using email, they start losing as well as productivity. When an xss attacks causes a denial of service they greatly impact negatively on business operations which in turn leads to massive losses.

Cross site scripting flaws are categorized into three types i.e. reflective attack vector, advanced attack vectors and the stored attack vector. A reflective attack vector is also referred to as non persistent and occurs in the event that a malicious script or code is injected via a vulnerable web server through any available method which initiates a response which part of a legitimate http request. General illustrations and examples of reflective attack are message errors in search engines as well as in submitted web forms. In some situations an unsuspicious user is tempted to click on a malicious link which in turn leads to a malicious server which (reflects) injects the malicious code back into the web browser of the user. The user's browser in turn executes the malicious script or code since the vulnerable server is typically a trusted and known site. Common methods of XSS exploits delivery are through search engines, instant messaging or email or search.

Lady using a tablet
Lady using a tablet

Comprehensive

Writing Services

Lady Using Tablet

Plagiarism-free
Always on Time

Marked to Standard

Order Now

Stored attack vectors are also referred to as persistent; they occur whenever a malicious code/script is stored permanently in a malicious or vulnerable server via blog entries, data base, web forums, newsgroups, or any method of permanent storage. A stored malicious script whereby the user accesses stored data from the malicious or vulnerable server which in turn injects the accessed malicious code into the browser of the user is an example of a stored xss attack.

Advanced Attack vectors normally use POST method or HTML frame and img constructs {<iframe>, <img>, < <frame>. By using HTML constructs attackers are able to camouflage embedded malicious script into web based emails and web pages. The use of advanced attack vectors enables a user to send unwanted email to multiple users with the intention of trapping several unsuspicious victims. The browser automatically executes the order upon accessing the web page HTML content.

The HTTP Post method is a recent, more intricate attack method; It occurs when a person gains access to a web page which uses variables to run the malicious script. The vulnerable server then receives a POST command sent by the malicious page. The final step occurs when the malicious script is injected into the browser or redirects the browser link to a malicious website.

To lessen the chances of a user becoming a victim of cross site script attack, the first defense mechanism is through contextual output escaping/ encoding. Several different schemes of encoding are applied depending on the placing of the entrusted string within the HTML document as well as within, HTML encoding, CSS escaping, JavaScript escaping and URL encoding.

Almost all web applications can work without accessing rich data or can instead use escaping in order to decrease the chances of cross sit scripting. However merely performing HTML encoding on at least 5 XML significant characters is not a full proof technique against all forms of cross site script. Using a security encoding library is of great importance and highly recommended since encoding can be very tricky.

Another way to prevent a cross site scripting attack is by always authenticating untrusted HTML input. Most operators of a certain web application such as webmail and forums permit users to use many of the features provided by HTML e.g. a subset of HTML markup. Output encoding is not enough when accepting input in form of HTML from users because in such a situation the user is the one who inputs commands to be rendered as HTML.

In addition to content filtering other common yet imperfect methods are used to prevent cross site scripting attack. One example involves use of supplementary security controls when managing cookie based verification of the user. Most web applications dependent on session cookie for verification between HTTP requests; since client side scripts usually have access to such cookies cross site scripting exploits can access and copy such cookies.

To lessen this precise threat almost all browsers tie IP address to session cookies of the person who initially logged in; only that IP is permitted to gain access and use that cookie. However this method has one weakness in that it only works where the attacker has the intention of accessing cookies. It completely fails to prevent an attacker in situations where the attacker using the same web proxy or using the same NATed IP address or just chooses to interfere with the site through script injection rather than attempt to access and steal cookies for use in future.

Disabling scripts in web browsers can also deter cross site scripting attack. The advantage of this technique is that even potentially malicious scripts and codes on the client side could be injected on a link or page and the user would still not be prone to XSS attack. Furthermore, many browsers as well as browser plug-in can be modified to disable client side scripts based on each domain.

However this approach is of little or no value of script are permitted by default since the user would became aware of a bad website when it's too late. Functionality which limits or blocks every form of scripting as well as external inclusion and permits the user to give access on a per domain basis is extremely effective; many browser such as internet explorer (since version 4 and Mozilla) support script disabling functionality.

Lady using a tablet
Lady using a tablet

This Essay is

a Student's Work

Lady Using Tablet

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Examples of our work

Other promising defensive technologies include, auto escaping templates and java script sandbox tools. These promising techniques are still evolving and changing thus raising the hopes of a safe computing world without cross site scripting attacks.