Java Reference
In-Depth Information
this sphere. hese vulnerabilities are discussed in detail in the
OWASP
or the
Open Web Application
Security Project
. he
OWASP is a body that is dedicated to the promulgation of Web application
security information. OWASP releases several free applications, publications, and journals, apart
from hosting a number of conferences dedicated to Web application security. he most popular
of their publications is the
OWASP Top Ten
list of the top 10 Web application vulnerabilities and
exploits based on their severity and impact on the world of Web applications. he OWASP Top
Ten lists the several vulnerabilities and the defenses using popular application development plat-
forms for the same. he OWASP Top Ten undergoes changes every so often, keeping with new-
age attacks and the diminishing of older attack vectors.
Some common Web application vulnerabilities are as follows:
◾
Cross-site scripting
◾
SQL injection
◾
Cross-site request forgery
Malicious ile execution and insecure object reference laws
◾
◾
Improper error handling and information leakage
Cryptographic laws
◾
◾
Unrestricted URL access
Authentication and session management laws
◾
5.4.2.1 Cross-Site Scripting
Cross-site scripting is an attack where the attacker can inject HTML code or JavaScript code into
the Web application. Cross-site scripting originated from the fact that a malicious user could access
another Web site through the use of a window or a frame and then, with the help of JavaScript,
write and read data into the other Web site. Cross-site scripting is popularly referred to as XSS,
so as to not confuse it with CSS, which stands for Cascading Style Sheets. XSS is one of the most
prevalent Web application vulnerabilities identiied across all Web sites and Web applications
in the world today. he WhiteHat Security Website Statistics Report for 2007 stated that 70%
of Web sites that were sampled as part of the population were vulnerable to cross-site scripting
vulnerabilities. According to several other studies, it was reported that around 80% of Web sites
and Web applications all over the world are vulnerable to cross site-scripting attacks. he negative
impact of an XSS attack may vary from one application to the other. Some do not consider XSS as
a debilitating attack, but that notion is ill conceived. Recent attacks using cross-site scripting have
shown that control over an entire application can be gained with a cross-site scripting attack.
*
XSS
attacks in recent times have reared their ugly head in the form of XSS worms, which have plagued
many Web applications. here are two types of XSS vulnerabilities:
◾
Persistent XSS
Relected XSS
◾
5.4.2.1.1 Relected XSS
Relected XSS vulnerabilities are the easiest to ind and the easiest to exploit among all XSS
vulnerabilities. Relected XSS, as the name indicates, just relects the user input back to the user.
*
XSS attacks gain control over user accounts and applications: http://blogs.zdnet.com/security/?p=3514.
Search WWH ::
Custom Search