XSS WORM : Cross Site Scripting Attacks. The danger of Cross-Site Requests - Scripting and Forging.

Cross-site scripting is a potentially VERY dangerous application security exposure that should be considered extremely dangerous. Developers must take care to be alert to the process of beginning to search for Web application security vulnerabilities such as cross-site scripting (XSS) attacks when designing a secure Web-based or Web-aware application for the Internet.

Cross Site Scripting (also known as XSS or CSS) is generally believed by widely respected security researchers to be one of the most common web-application layer hacking techniques.

Today, websites and other Web-enabled Internet information services rely heavily on complex web-ready applications to deliver different streams of information output or content (sometimes referred to as “Web content” or “dynamic Web content”) to a wide variety of clients and users according to a specific set of preferences and needs. This arms dynamic organizations with the ability to provide better maximized value to their existing and emerging customer surface. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting attacks on their data.

“A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.” (CERT Coordination Center).

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.

A dynamic and skilled web 2.0 hacker can formulate and distribute a custom-crafted CSS (also known as XSS) URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a(n) XSS vulnerable website.

Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc…

N.B. Often people refer to Cross Site Scripting as XSS or also CSS which is can is can be confused with Cascading Style Sheets (CSS) or XSRF.

As a simple example, imagine a search engine site which is open to a XSS attack.