Cross Site Scripting – More Than Just Alert Boxes
But let’s start at the beginning. There are 3 types of cross-site scripting vulnerabilities:
- Stored – a less common type of cross-site scripting that occurs when data submitted by the attacker is stored within the application. Attacks again stored cross-site scripting vulnerabilities usually include two requests: first the attacker posting some crafted data containing the malicious code, and then the victim unknowingly executing the code. These are usually more serious vulnerabilities.
So now that we know the different types of cross-site scripting vulnerabilities, what is the real risk of them?
- Virtual Defacement – This involves injecting malicious data into a page of a web application to feed misleading information to users. I’ve seen cases where it displays a page saying “You’ve been hacked!”. Attacks can also inject elaborate content and navigation into the site.
- Trojan Functionality – The attacker may go beyond virtual defacement and inject working Trojan functionality into the application, trying to trick users into preforming some kind of action. This might include a fake page to enter credit card information.
- Session Hijacking – An attacker can steal valid session tokens and log into the application as that user. We saw this in the StrongWebmail example.
So cross-site scripting is more than just an alert box on the screen. Serious risks come with all types of cross-site scripting vulnerabilities. Later we’ll talk about interesting places to look for these vulnerabilities besides open parameters.