Cross-Site Scripting 101

Cross-Site Scripting, or XSS for short, is a method used to compromise user access of a third party website in one manner or another. The actual result of the attack - ranging from session theft (you don't log out, and the evildoer returns to the site using your credentials) to elaborate automated account hijacking - is unimportant for the purposes of this discussion. What's important is the understanding that any small vulnerability (in either browser or web service) can easily be escalated into a full-scale, automated, "change your password and empty your paypal account" attack with the right time and devotion from the attacker. XSS is by no means a new attack, and has been explained often before. It has not (to my knowledge) however been explained in a method which makes the average Wordpress or phpBB2 user motivated to keep the software they use up to date. Whitedust: Cross-Site Scripting 101

Linked by shanmuga Tuesday, 22nd November 2005 10:42PM