The following is a first-person narrative, written from the perspective of an attacker utilizing crosssite scripting (XSS) methodology combined with phishing. The intent is to describe motive, method, and consequence. As indicated in April’s toolsmith, XSS is an epidemic. Sadly, it is rarely given its due; XSS is often considered an attack unworthy of much concern. Yet, it is an attack of great consequence, if utilized by a motivated attacker. Statistics claim that 90% of all websites have at least one vulnerability, and 70% of all vulnerabilities are XSS.
It is not difficult to make the leap that someone will be victimized, an exploit will be utilized, and a vulnerability
taken advantage of. The common misconception is that XSS is not as dangerous because it does not “hack” the server. While in most light, there is some truth to that claim; yet, it undermines the very
essence of why we, as information security professionals, exist: to protect. Businesses and security vendors alike often forget or disregard that essence. We should not exist solely for the bottom line, corporate profits, growth metrics, or acquisition potential. Instead, let’s remember the consumer.
Point blank: XSS exploits consumers. The gullible and the innocent fall prey, and their financial well-being is often left to the greedy and malicious.
Validate your inputs (and outputs); follow a secure development life cycle; scan your web sites for vulnerabilities regularly; but do not assume that just because some vendor says you are safe that you are. Utilize a web application firewall in concert with good code and monitoring. Do not do it just because PCI compliance requires it; remember it is your customers and your reputation that XSS harms. It can be prevented.
This document is in PDF format. To view it click here.