Security Software Zone Security Software Zone
Home Contact Us
Search in
Forum SecurityToolbox Submit Software
Security Software Zone Login
Security Software Categories
News - Articles - Reviews
Free Newsletter
Join our mailing list and receive
security software news and
advice from our experts.
Submit
  Security Software Zone » Software Reviews » General Security » Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim

Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim
Category: General Security
Published: 04/04/2007, 11:20  
Editor: Remus Zoica
 
Print article
Send to a friend
Search in reviews
    Ernst & Young researchers will share some detail on how such a synthesis of attack types could be used to greatly increase the effectiveness compared to using the attacks on their own at Black Hat security conference in Amsterdam. They will shou us that the threat from cross-site scripting (XSS) web attacks could get dramatically worse if hackers start combining it with cross-site request forgery (CSRF) attacks.

    The researchers will demonstrate two attack modes, the first of which will who how to use an easy-to-infect social networking page as a proxy for an attack on a credit union by hijacking a user’s session. The second will show how the same principle of hijacking a user’s browser can be used to evade conventional database security in a company network, which would exclude any external source from sending database queries. In these examples, the attack appears to come from the hijacked machine rather than the real source. CSRF is used to execute the veiled attack, with XSS used to get session feedback.

    Billy Rios of Ernst & Young, stated: "We're in a stage now where people know about it, but are ignoring it, and that's kind of dangerous. "We will show how when you use the two in combination, you can use the strength of one to overcome the weakness of the other. Any kind of client-side vulnerability that's leveraged by using it in combination with another one expands your [the attacker’s] arsenal."

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

Cross-site request forgery (CSRF), also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. Compared to XSS, CSRF attacks are not well understood by many web developers and few defense resources are available.

    While XSS attacks are the bane of web and e-commerce security, CSRF is less well documented, though as powerful the researchers will claim. Such a technique is much harder to do anything about because it depends on hijacking legitimate sessions, something that is inherently hard to detect.
Bookmark to:
Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Del.icio.us Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to digg Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to FURL Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to reddit Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Technorati Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Yahoo My Web Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Stumble Upon Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Google Bookmarks Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to RawSugar Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Squidoo Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Spurl Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Netvouz Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Rojo Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Bloglines Add 'Cross-site Scripting (XSS) Web Attacks Could Get Dramatically Worse, Researchers Claim' to Tailrank

Add a comment for this review

Security Software Zone is not responsible for the content of these User comments.

The views and opinions expressed are those of the individual poster and not the Security Software Zone. Security Software Zone reserves the right to remove offensive or inappropriate messages. If you would like to post your own opinion please fill the fields below.  Maximum length 1250 characters.
Name
Subject
Text from the image
Comment
Submit
Sponsored


Copyright © 2007 Security Software Zone. All Rights Reserved. Forum Submit Software Site Map
Our websites: Titan Backup Software Invisible Secrets Encryption Software System LifeGuard Cleaner
AlphaZip Compression Tool SafeBit Disk Encryption Security Software Zone PC District