Cross-site scripting (XSS) attacks are one of the most common and best known Web security flaws in the last years. Although their nature has been researched for a few years now, the cross-site scripting attacks are still widely used to capture sensitive information of Internet users.

Cross-site scripting attacks are often used on sites handling personal information, such as internet banking, money handling or internet auction sites.

Forged sites that use cross-scripting are aiming at performing phishing attacks which attempt to swipe login credentials – they are hard to detect even by internet safety-aware users.

Cross-site scripting is often called script injection and is launched on dynamically generated web sites. Provided a user click on a URL containing manipulated JavaScript code, the target web site assumes there's been user input in that URL request. Once a user clicks the forged URL a script is executed allowing the hacker to exploit the target site.

To this extent, a successfully launched cross-site scripting attack allows attackers to serve the forged web site instead of the genuine one to the legitimate user. They think they are viewing their online baking facility, where they are indeed feeding attacker's site with personal information and login credentials.

The host site is displaying a malicious web page, rather than a real site. This cross-site scripting technique is often used to grab login user names, passwords and other sensitive data.

This kind of phishing attack has become extremely popular in the recent years and is the cause of an increasing number of fraudulent financial transactions and identity theft. This is possible, because many users do not pay attention when clicking on links in spam e-mail messages they receive. Those junk e-mail messages, often posing as a genuine message from a bank, attempt to convince a user to click on a forged link leading to a malicious site that looks very much like the genuine one.

Such attacks rely very much on spoofing techniques, where a URL that has been forged looks very much like a trusted one.

These techniques are useless, however, when the trusted site uses a SSL certificate and there is a good level of security-awareness by a user.

Cross-site scripting attacks are often launched on a SSL-trusted site, however, the SSL certificates the attackers use cannot be verified by a certification authority like VeriSign. This is indicated by a small padlock icon on the bottom of the web browser, and it's the user's responsibility to double-check the authenticity of a certificate before they provide any login names or passwords.

Thus, to prevent cross-site scripting attacks and phishing attack attempts it's crucial to examine the SSL certificate on every trusted site we are visiting.

Like other internet attacks, cross-site scripting and phishing attacks can be prevented from happening only if a good level of safety-awareness amongst the users is ensured. Therefore it's vital for any organisation and individual to educate themselves about possible risks of clicking on links from untrusted sources.

A good habit to prevent phishing attacks is to always type the URL requested by hand in the web browser, but never click on link in scam messages that often include fake URLs which always look genuine and can be very persuasive.

Browser session hijacking

Browser session hijacking is besides phishing the most common launched cross-site scripting attack nowadays, where a manipulated script on a web site is used to grab information stored in browser's cookies and session files. In these files are often stored authentication information, that are used to validate user's session.

A stolen cookie file could be therefore used to steal sensitive information stored in it such as login name and/or password. Those information could be user by an attacker to login to a online banking facility or to make an online purchase on their behalf.

Script injection isn't a software problem, security researchers believe, and there could be required functionality on certain web sites to prevent cross-site scripting attacks. Script-injection attacks are therefore to be prevented by security-aware web programmers.

The best way to prevent those attacks is to validate any user's input before submitting it to the actual application. User's input shall always be treated as potentially dangerous to security and to the site itself, that's why any piece of information a user provides must be validated.