This communication at the application layer can exploit poorly written applications to bypass traditional perimeter security defences.Īccording to a 2008 WhiteHat Security Statistics Report, 90% of all websites have at least one vulnerability, and 70% of all vulnerabilities are XSS-related. This means attackers, too, can interact directly with an application's processes, passing data designed to masquerade as legitimate application requests or commands through normal request channels such as scripts, URLs and form data. Sites continue to fall prey to XSS attacks because most need to be interactive, accepting and returning data from users. This setup makes it difficult to test the many possible permutations of user and service interaction, allowing old vulnerabilities, such as XSS flaws, to be unwittingly introduced into the application. Ajax applications tend to be very complex, there being many more interactions between the browser and server, and pages can even pull in content from other sites. What is true, though, is that Ajax (asynchronous JavaScript and XML) technologies change the threat landscape in that they allow an attacker to exploit cross-site scripting vulnerabilities in a more covert manner. Many think Web 2.0 has created the latest round of XSS attacks in fact they're mainly just variations on an old theme. Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. Cross-site scripting, a security exploit in which the attacker inserts malicious client-side code into webpages, has been around since the 1990s and most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point.
0 kommentar(er)
