You need to be a premium member to use this feature. To access it, you'll have to upgrade your membership.
Become a sharper developer and jumpstart your career.
$0
$
. 00
monthly
For Basic members:
$10
For Premium members:
This article describes a common application layer hacking technique, Cross-Site Scripting wherein attackers inject client-side scripts into web pages.
It is a security vulnerability found in web applications. Attackers inject client-side scripts into web pages. It is the most common application layer hacking technique.It leverages a vulnerability in the code of a web application to allow an attacker to send malicious content from an end user and collect some types of data from the victim. Hackers embed malicious JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine to gather data. They steal user's cookies or create requests that can be mistaken for those of a valid user or execute malicious code on the end-user system.How XSS happensYou never think that an attacker will first break the security of your web server and then upload and modify files on that server. XSS attach is much easier than that.Let me explain one scenario.Suppose that you are providing a user comment section in your website. A hacker could use that comments feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script that will execute on his browser, causing undesirable behavior.The form that the XSS data comes in
Example of XSSLet us assume have an error page that handles the requests for non-existing pages. We write code in the following form:
Impact of XSSAttackers can perform a variety of malicious activities, such as:
XSS Defense
Preventing XSS AttackTo help prevent XSS attacks, an application needs to ensure that all variable output in a page is encoded before being returned to the end user.Encoding variable output substitutes HTML markup with alternate representations called entities. The browser displays the entities but does not run them. For example, <script> gets converted to <script>.When a web browser encounters the entities, they will be converted back to HTML and printed but they will not be run. For example, if an attacker injects <script>alert("you are attacked")</script> into a variable field of a server's web page, the server will, using this strategy, return <script>alert("you are attacked")</script>.When the web browser downloads the encoded script, it will convert the encoded script back to <script>alert("you are attacked")</script> and display the script as part of the web page but the browser will not run the script.
XSS Prevention RulesThe following are the rules of XSS prevention:
Reference:XSS (Cross Site Scripting) Prevention Cheat Sheet.Microsoft Web Protection Library.
Getting Started with Smart Contracts in C#