XSS Attacks (Ebook)

Cross-site scripting vulnerabilities date back to 1996 during the early days of the World Wide Web (Web). A time when e-commerce began to take off, the bubble days of Netscape,Yahoo, and the obnoxious blink tag. When thousands of Web pages were under construction, littered with the little yellow street signs, and the “cool”Web sites used Hypertext Markup Language (HTML) Frames.The JavaScript programming language hit the scene, an unknown harbinger of cross-site scripting, which changed the Web application security landscape forever. JavaScript enabled Web developers to create interactive Web page effects including image rollovers, floating menus, and the despised pop-up window. Unimpressive by today’s Asynchronous JavaScript and XML (AJAX) application standards, but hackers soon discovered a new unexplored world of possibility. Hackers found that when unsuspecting users visited their Web pages they could forcibly load any Web site (bank, auction, store,Web mail, and so on) into an HTML Frame within the same browser window.Then using JavaScript, they could cross the boundary between the two Web sites, and read from one frame into the other.They were able to pilfer usernames and passwords typed into HTML Forms, steal cookies, or compromise any confidential information on the screen.The media reported the problem as a Web browser vulnerability. Netscape Communications, the dominant browser vendor, fought back by implementing the ”same-origin policy,” a policy restricting JavaScript on one Web site from accessing data from another. Browser hackers took this as a challenge and began uncovering many clever ways to circumvent the restriction.

Size: 7.34 MB

Its password is cwh