: How to explain XSS to common web owner/user? How would you explain cross-site scripting vulnerability to a non-programmer (common web user)?
How would you explain cross-site scripting vulnerability to a non-programmer (common web user)?
More posts by @Ogunnowo487
4 Comments
Sorted by latest first Latest Oldest Best
Your visiting a website with comments enabled. Someone posted a script as a comment that once you load in your browser is able to hijack your browser. It then is able to use your currently logged in credentials to pretend it's you, steal your information, or many other bad ideas you could come up with letting someone you didn't know use your account.
Hacking with malicious intent! (yes, we use hacking for good purposes)
If it doesn't scare them, remind them of facebook (consented xss, they gather tons of data anyway, no need for xss)! Hope it works!
In simple terms:
Unless you install a Javascript blocker or disable Javascript, your web browser will automatically trust the code on webpages you visit to access information that you have saved on those sites and see the things you do on those sites.
Information that can be saved includes your username and password for the site or anything you type or do while you're on that site.
Cross-site scripting vulnerabilities occur when a site has code on it that was placed there by someone other than the person or company who owns the site.
Because your web browser will automatically trust the code it finds on the site, whoever placed the code there will be able to see the things you do on that site and maybe even trick your browser into doing things on that site that you don't want to do.
I don't think the average user is capable of understanding XSS. But the easiest way to put it is that it's a type of code-injection vulnerability caused by sites not sanitizing input from users and thus allowing malicious client-side code to be injected onto the site.
You might offer an example like:
J-Mart's Online Store allows users to post reviews.
The user reviews are not properly sanitized, so JavaScript code can be embedded in the review.
A J-Mart admin comes along and logs into the store's admin panel.
He then takes a look at a user review with the malicious code embedded in an image tag.
His browser loads the page and tries to the download the image by evaluating the JavaScript in the img tag's src attribute.
The JavaScript makes an AJAX request that adds a dummy administrator account to the J-Mart store.
Because the J-Mart admin was logged in, this request succeeds, and now the attacker has administrative access to the J-Mart store.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.