Cross-site Scripting (XSS) is the most recurring high-risk exploit. In recent years XSS surpassed buffer overflows to become the most common of all publicly reported security vulnerabilities.

XSS is an attack vector that targets the web application layer through embedded scripts on the client side (web browser). Common client-side scripting languages such as HTML, JavaScript, ActiveX, VBScript, and Adobe Flash are targeted. The idea is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. XSS is often used in conjunction with phishing and spear-phishing attacks.

By injecting code into websites an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects. The website has not actually been hacked, however, it is made to appear as something other than it truly is.

XSS is often overlooked as a security vulnerability. As Web 2.0 and it’s future successor press on, this must change. Reasons why XSS vulnerabilities must receive attention include:

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

These are all serious security threats facing information systems. In today’s must-socialize and must-network online world (i.e. Facebook), XSS is going to have a significant impact on many people whether they realize it is occurring or not.

The URL for many XSS injected sites include a lot of hex code. A few common hex codes that do not regularly appear in “normal” URLs are %3C and %3E which correspond to the < > tags used in HTML, JavaScript, etc. The reason these tags are converted to hex is to help disguise their appearance as many users simply ignore anything that isn’t simple plain English. It is not uncommon to find a link in an e-mail that includes many hex codes and links a user to a website that appears to be authentic.

When a user visits a site that has been exposed to XSS, most of the time the user will not notice any difference between it and the real site and will supply their credentials or other sensitive data without knowing their data has been compromised. The site appears legitimate and will redirect the supplied data to the attacker where the attacker now authenticate as the user for whatever purpose the attacker wants (see list above).