Cross-Site Scripting (XSS) – A Real-World ExampleJune 14, 2008 – 7:56 AM
Cross-Site Scripting (XSS) is an attack that’s pretty basic to detect, pretty basic in execution, and you’d think that it would be rather simple to understand. Unfortunately this is apparently not the case. I won’t go into the details of Cross-Site Scripting because others have beat that to death – but rather I’m going to go through a little real-world exercise for you. I’m hiding the actual URL until the site owner either does something about it, or ignores this issue long-enough for me to disclose it on this blog.
First, I’ve been looking around and just doing non-invasive, non-malicious checks to see how wide-spread XSS is on some of the sites I use regularly. I came across one that made me think, and so I got a little creative and came up with a real-world use-case for this vulnerability, and how it can be executed and cause real damage.
Looking at the URL and I though – gee, I bet I can make it look like the user has to click to get results and send them somewhere malicious.