http://tbtf.com/archive/11 17 98.html#s02

3.2  Cross site Scripting

Cross site Scripting (XSS) is an attack technique that forces a web

site to echo attacker supplied executable code, which loads in a

user's browser. The code itself is usually written in HTML/JavaScript,

but may also extend to VBScript, ActiveX, Java, Flash, or any other

browser supported technology.

When an attacker gets a user's browser to execute his code, the

code will run within the security context (or zone) of the hosting web

site.  With this level of privilege, the code has the ability to read,

modify and transmit any sensitive data accessible by the browser. A

Cross site Scripted user could have his account hijacked (cookie

theft), their browser redirected to another location, or possibly shown

fraudulent content delivered by the web site they are visiting.  Cross 

site Scripting attacks essentially compromise the trust relationship

between a user and the web site.

There are two types of Cross site Scripting attacks, non persistent

and persistent. Non persistent attacks require a user to visit a

specially crafted link laced with malicious code. Upon visiting the link,

the code embedded in the URL will be echoed and executed within

the user s web browser. Persistent attacks occur when the malicious

code is submitted to a web site where it's stored for a period of time.

Examples of an attacker's favorite targets often include message

board posts, web mail messages, and web chat software. The

unsuspecting user is not required to click on any link, just simply view

the web page containing the code.

Example

Persistent Attack

24

Copyright 2004, Web Application Security Consortium. All rights reserved.