Directory of Cross Site Scripting Resources

Home > Computers > Security > Internet > Web > Cross Site Scripting

Cross site scripting or XSS vulnerabilities allow client side scripts (Javascript or Active X) from a third party to execute as if it originated from a trusted server.

This vulnerability is caused by unfiltered, unchecked input written to a web page by the trusted server. A third party may direct a user to send data to the trusted server. If the server expects non-script data but does nothing to ensure that no script is contained, it may pass the script back to the user to execute.

As a result a third party may be able to steal data such as the password of the user, read the user's private information, or act as the user.

Resources in This Category

• 'Cross-site scripting' tears holes in Net security

  http://www.usatoday.com/tech/news/2001-08-31-hotmail-security-side.htm
  USA Today article by Byron Acohido that details WhiteHat Security's assessment of Hotmail, Yahoo, Amazon, and America Online.

• Apache: Cross Site Scripting Info

  http://httpd.apache.org/info/css-security/
  How the attack affects websites hosted on the Apache webserver and Apache specific issues.

• CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests

  http://www.cert.org/advisories/CA-2000-02.html
  Advisory published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC).

• Cross Site Scripting Vulnerabilities

  http://www.devitry.com/security.html
  Security consultant David deVitry offers background information, a free CSS vulnerability detector, and a list of vulnerable sites.

• perl.com: Preventing Cross-site Scripting Attacks

  http://www.perl.com/pub/a/2002/02/20/css.html
  Paul Lindner, author of the mod_perl cookbook, explains how to secure our sites against Cross-Site Scripting attacks using mod_perl and Apache::TaintRequest.

• The Cross Site Scripting FAQ

  http://www.cgisecurity.com/articles/xss-faq.shtml
  Answers questions on identification, threats, and prevention. Provides examples and links.

 

Home > Computers > Security > Internet > Web > Cross Site Scripting

 

---

 

Thanks to DMOZ, which built a great web directory for nearly two decades and freely shared it with the web. About us