What is an XSS attack?


XSS stands for Cross Site Scripting* which is a type of attack where hackers can gather information from a user on your website maliciously and without users being aware that anything is different or wrong until it is too late.

Before getting into what exactly XSS is, it is important to understand the difference between server side code and client side code. All code needs to be executed (or run) in order for you to see something on the website; the difference between client and server side code is where that code gets executed.

Server side code is executed on the server before you even load the web page. For example, when you accessed this page on my website, the server side code verified the page's URL, pulled the content out of the database and applied the content to the correct design file. Server side code cannot be manipulated without access to the server. This makes server side code a lot safer and as I discussed with contact forms, it is a far better idea to use server side code for things that you do not want users changing.

Client side code is something that is executed within the browser. For example, if you click on the "Free Estimate" button in the right hand corner of the QW Consulting website, the window that opens up is opened with client side code. If you knew JavaScript, you could change that button without access to the server. The key thing to note though is that any changes that are made are limited to your browsing session. In the case of the "Free Estimate" window that opens the worst thing you could do is get it to open a different page or open it in a different size. Even if you made those changes though, anybody else viewing my website on a different computer would see the website as I programmed it and not as you altered it.

XSS attacks take advantage of the vulnerabilities in client side code. In simple terms, an XSS attack forces client side code to run where it shouldn't and when it runs gives the hacker some piece of information that the hacker shouldn't have. Let's look at a simple example.

Step one: the hacker creates a malicious link to your website. The link looks almost exactly like a valid link. However the link the hacker created contains additional code that will run on your website once you've clicked the link. The hacker then sends that link to another user of your website, or posts that link on a blog or website forum.

Step two: It looks like a valid URL so, why not click on it? Unfortunately, when an unsuspecting user clicks on the link the hacker created, that extra code appended to the URL is also run.

What is that extra code? For example, the hacker could attach code that steals the unsuspecting user's cookies and therefore gains access to your website by pretending to be a different user. XSS can also be used to steal account credentials or, depending on how the code is structured, access private data about your business or about the account of the unsuspecting user.

What are you to do about this? The best solution is to make sure that all data coming in from URLs is verified to make sure it doesn't contain anything extra. In other words, everything - from extra data appended to URLs to contact form submissions - must be verified before using it in the code.

Unfortunately, because it takes longer to code that way a lot of developers do not add in the necessary security checks. At QW Consulting, I never skip something so essential to the success of your business just to complete the project faster.

Contact QW Consulting today to learn more about XSS attacks and how to prevent these (and other) attacks on your website.

*In case you are wondering, CSS is an acronym for a design language called Cascading Style Sheets. The X is used in this acronym to avoid confusion.

Stay Updated

 Add to My Yahoo! Add to Google  Bookmark and Share