Home > Software Quality Tips > > Cross-site scripting: Intro to XSS
Software Quality Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Cross-site scripting: Intro to XSS


James Michael Stewart
08.26.2003
Rating: -2.50- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Cross-site scripting (XSS) enables an attacker to send a customized request to a Web site that causes modified Web or e-mail code to be sent to another user. In other words, it allows an attacker to send malicious code to another user by exploiting a flaw or weakness in an Internet server. XSS attacks are used to exploit vulnerabilities on a victim's system to traffic malicious code rather than attack the system itself.

While XSS is not the most severe problem affecting Internet servers, it is still important enough to take seriously. Script or code sent to a victim via an XSS attack runs within the security context of the browser or e-mail viewer employed on the victim's system. In many cases this allows full read and write access to all of the user's personal data files and a considerable portion of the OS itself, such as driver files and configuration ...


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Building security into the SDLC (Software development life cycle)
Problems caused by skipping analysis stage of SDLC
Inexpensive phase of SDLC to catch and fix bugs
GatherSpace beefs up cloud-based requirements management
ALM: Best of breed vs. complete systems
Software development life cycle phases, iterations, explained step by step
The role of quality assurance (QA) pros in software security
Common software security risks and oversights
Why the quality assurance department should be involved in testing
How to develop secure applications
Secure software development practices 'not rocket science'

Threat modeling
Web application security and the PCI DSS
The essentials of Web application threat modeling
How to implement security in Java EE and Java ME
Application security shouldn't involve duct tape, Band-Aids or bubble gum
Stop SQL injection attacks on applications
How to counter XSS attacks
Breaking the same origin barrier of JavaScript
Protection against "zero-minute" exploits
Denial of service and Ajax
CSRF attack vector with Ajax serialization

Software security testing and techniques
Free Web proxy security tools software testers should get to know
How to get management on board with Web 2.0 security issues
Web application security best practices: Tips on implementation
Testing strategies for complex environments
How to make your software tamperproof
Ways to approach application performance testing on a tight budget
How can I tell if my software security has been breached?
Is online application testing for smartphones different from other software testing?
Software testers facing six big challenges today, StarWest keynoter says
Lesser-known free software testing tools testers should try

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


settings.

A vulnerability was recently discovered in Microsoft Internet Security and Acceleration (ISA) Server 2000 that allows XSS. An attacker can alter the error pages for failed page requests or invalid data submissions that are sent to clients from ISA. The error pages can be altered so that they direct victims to download malicious code or access a malicious Web site. The compromised error pages can also force automatic download or URL activity on the victim's system.

This vulnerability in ISA is easily dealt with through a simple patch. If you are using ISA to protect your Internet server, I recommend reviewing Microsoft Security Bulletin MS03-028 and applying the patch to your systems.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This tip originally appeared on SearchSecurity.com

Rate this Tip
To rate tips, you must be a member of SearchSoftwareQuality.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Software Design & Testing - Project Management
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts