You have just been promoted from a web application developer to a managerial role where you are responsible for the security of the company's web applications. Happy about the new job, you launch a web application security scan against all websites and find out that all of them have vulnerabilities that need to be fixed.
And here is where the problems begin. Many people working in the web application security industry think that some technical vulnerabilities are not dangerous so not worth looking into and fixing them. This is a very common misconception;
What is Cross-Site Scripting?
Cross-site scripting, also known as XSS, is a very common web application vulnerability. By exploiting
Why Many Think That XSS is not Dangerous?
Many web application developers think that cross-site scripting is not a dangerous web vulnerability because the victim is the
Cross-Site Scripting is as Dangerous as SQL Injection
What if the victim of the cross-site scripting attack is the forums administrator, as it happened in many cases? In this case, the attackers would gain admin privileges to the forums or any other vulnerable web application.
By combining a cross-site scripting attack with social engineering skills hackers can still penetrate networks, hack web servers and steal sensitive data. That is exactly what happened to the Apache Software Foundation in 2010; an attacker exploited a cross-site scripting vulnerability and worked his or her way up to gain root access to main apache.org shell servers. For more information about this attack, refer to the detailed Apache and JIRA attack documentation.
In the Apache incident mentioned above, the attacker exploited a non-persistent cross-site scripting vulnerability, hence the attacker needed social engineering skills to fully execute the attack. There were other cases in the past where attackers exploited a persistent cross-site scripting attack, which has a much bigger impact and one does not need to have social engineering skills to exploit it. Refer to the cross-site scripting technical documentation for more information about the different XSS variants.
The Apache incident is not the only real life hacking incident where by exploiting a cross-site scripting vulnerability the attackers managed to do a lot of damage. There are several other ones we've heard of, but not all have been documented and it is not possible to list them all here.
Exploit a Cross-Site Scripting Vulnerability to Steal Money
It is a must to fix all web application vulnerabilities because if exploited, not only the company who owns the web application can sustain damage, but also its customers. And when as such happens, legal issues come into play.
Some people might not be bothered if a particular forum they used has been hacked, even if their forum account was affected. Mostly they reset their password, delete all the hacker's activity and get back on with life.
But what if the e-banking web application your bank uses is vulnerable to a cross-site scripting attack? If it is, maybe a hacker won't be able to take the system down but can easily hijack your e-banking session and transfer money out of your account.
All Reported Web Application Vulnerabilities should be Fixed
As we have just seen a cross-site scripting attack can be used to infiltrate the network of one of the most popular corporations in the
The aim of this article is not to scare people or show them what an attacker can be up to if he or she exploits a cross-site scripting vulnerability, but to raise awareness about web application security misconceptions.
As a web application developer or security
Check your Web Applications for All Types of Vulnerabilities
Download the 15 days trial version of Netsparker to scan all your websites and web applications for vulnerabilities such as XSS and SQL injection. Netsparker will automatically crawl your website and provide you with all the technical details when a vulnerability is detected within minutes. For more information about Netsparker Web Application Security