Thursday, June 30, 2011

Testing for XSS Vulnerabilities - Introduction

Cross site scripting (XSS) is second most popular type of attack on web application. It allows attackers to execute scripts in victim’s browser and perform almost any action on users behalf. For example, script may hijack sessions or redirect the user to malicious sites.

This type of attack is relatively easy to perform and difficult to protect against. There are numerous different attack vectors and attacker needs only some knowledge of web technologies (JavaScript, CSS, HTML) to perform any of them. Moreover, one vulnerable place is enough to make whole application vulnerable.

This series of posts introduces XSS testing to a fictional development team working on a web project. The introduction describes both cross site scripting and fictional project requirements.