Tag Archives: XSS

XSS attacks : How to save yourself

Posted on by

0

Today, all of us have accounts on facebook. Other than that, we have several other online accounts too. What if I told you that without you realizing it, your account may get hacked? What if I told you that clicking a harmless looking link can cause you to lose your account? Would you laugh it off? If your answer is yes, think again.

I can give you a simple link. You click it and that opens up the Google. That’s all I require to hack into your account. Better yet, I can have a webpage with an image and soon as that image loads into your browser, your security gets compromised.

If you’re with me until now, read on.

This article – as the name suggests is about cross site scripting (XSS) attacks – and how to prevent your personal information from being stolen from such an attack. First up – this article isn’t a tutorial for XSS. It’s for people who are not familiar with all this network security stuff.

First things first. Cookies.  Yeah really. What are cookies? Cookies are basically some data stored on your pc that websites use to recognise you, keep track of your movements etc. So, the reason why you can close your browser, and, on opening facebook again in your broeser, it shows your account – that’s because of cookies.

Also, I’d like you to know a little about XSS. Even though this post isn’t meant to learn what XSS actually is – I’ll write something for it down the line – still, it would be good to have some basic idea of what might hit you. XSS is a scripting language based attack – primarily JavaScript. What can JavaScript do? It can do all kinds of weird sh!t. For example, it can open a lot of pop-up windows. It can be made so that whenever you open a page, some information  gets sent to a page that I want without you even knowing it. And, the most important thing of all – it can be used to send away your cookies.

Almost all the websites that you visit these days have some JS being used. Not that it is used only for malicious purposes – JS is used for some great stuff too. But one who wants to use it badly can indeed do so. To execute JS, one can have a link pointing to something like:

javascript: <some JS code>

Or, if the JS is integrated in the page itself, it can be executed as per the wishes of the one who created that page. This can mean that, for example, whenever you move your mouse over some part of the page, some information may be being sent in the background without your knowledge – and that includes cookies.

There are other ways too but I’ll not discuss them here. Now, when your cookies have been sent over – what happens. For example, I have an account that provides free web hosting services. Using that, I can make such an arrangement that whenever any information is sent, it gets recorded.

Generally, it’s the link based attacks that you should be aware of (I won’t explain the reason though). In such cases, the information is sent to the page that performs that recording and then redirects you to some other website. Most of you won’t even notice the address in the address bar when Google opens up in front of you. So, while you are thinking that the link pointed you to Google, something has already happened. Your cookies have been saved in a log file somewhere and you don’t even know about it.

Now, what can the other person do with these cookies? Well, he can set his own browser’s cookies – just like they would be in your browser – from your cookies and tada! In many cases he should be able to open your account just by going to that website.

How to prevent this from happening?

Well, the first thing you can do is this: NEVER paste anything in your address bar that starts with ‘javascript:’ unless you know what you’re doing. Secondly, always check where a link points to by hovering over it an looking at the bottom corners of the browser window. If it begins with ‘javascript:’ then there may be risk involved. Also, the surefire way to avoid this is to turn off JS in your browser but that can hamper the functioning of many websites too.

Anyway, I’ll have more on XSS somewhere down the line. This is it for the time being. Please leave a comment. Also, like and share.