Web Application Break-In


This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."

Download it now to read this article plus other related content.

Resources & Tools

Requires Free Membership to View

Open Web Application Security Project (OWASP)

Web Application Security Consortium (WASC)

IIS Lockdown Tool

Google Webmasters FAQ

SANS Top 20 Vulnerabilities

Cross-Site Scripting
Unlike many application layer attacks, cross-site scripting attacks target an application's users, often with the aim of stealing personal data. They affect all Web applications that make use of scripting and aim to indirectly compromise an application's infrastructure.

Scripting attacks work by injecting code, usually a client-side script such as JavaScript, into a Web application's output. Merely viewing the output will execute the script, running it on the browser as though the trusted site generated it because browsers cannot distinguish between legitimate and malicious content served up by a Web application. The victim may not even be aware that the script has executed.

Most Web sites have numerous possible injection points, making them vulnerable to this attack method. And although client-side scripts are not able to directly affect server-side information, they can still compromise a site's security by altering form values or switching the form action to post the submitted data to the attacker's site. The most common purpose of XSS attacks, however, is to gather cookie data. Cookies are commonly--and often incorrectly--used to store information intended to be persistent during a browser session, or from session to session, such as session IDs, user preferences and login information. If input to your dynamically generated Web pages is not validated either before being processed or published, you could fall prey to an XSS attack.

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: