Start your free trial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the functionalities to their users with a single click. In this quest for providing the customers with single click solutions, all the sensitive data is shifted on to a server which is then accessed by a web application. In most of the scenarios, web applications have direct access to the backend database and thus control valuable data. With a simple well crafted malicious payload a hacker can now get all the information from database. The real question is how it can be achieved. Below are some of the checks that are in place to ensure that security holes in the web application are identified: Threat Modeling deals with identifying threats, attacks, vulnerabilities, and countermeasures for your application in the design phase.

Author:Faugis Digami
Language:English (Spanish)
Published (Last):23 September 2010
PDF File Size:19.49 Mb
ePub File Size:20.70 Mb
Price:Free* [*Free Regsitration Required]

Think of how often you receive an e-mail with a hyperlink. If you clicked the link and logged into the site, you could have revealed your logon information to a hacker…just that easily. This example illustrates an increasingly popular hacking phenomenon known as cross-site scripting.

Users may unintentionally execute scripts written by an attacker when they follow links in disguised or unknown sources, either in web pages, e-mail messages, instant messages, newsgroup postings, or various other media.

Because the malicious scripts use the targeted site to hide their origins, the attacker has full access to the retrieved web page and may send data contained in the page back to their own server. Although the security community has discussed the dangers of cross-site scripting attacks for years, the true dangers of these vulnerabilities have often been overlooked.

The purpose of this paper is to educate both application developers and end users on the techniques that can be used to exploit a web application with cross-site scripting, suggest how to eliminate such vulnerabilities from web applications, and teach end users how to recognize and reduce the risk they face from a cross-site scripting attack.

All Rights Reserved. No reproduction or redistribution without written permission. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. Cross-site scripting could potentially impact any site that allows users to enter data. An attacker who uses cross-site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems.

To represent various elements such headers, tables, paragraphs, and lists, some special notations called tags are used. A tag contains a left angle bracket, a tag name, and a right angle bracket. Tags are usually paired e. Stay Secure. When a web browser opens an HTML document, it will recognize tags and apply instructions to the string in between according to the tag name.

The following is an example of a simple HTML document. When browsing web sites, your web browser is a client program that makes requests for example, that a certain web page be displayed from a web server somewhere on the Internet. An important element of HTTP is how servers handle requests from clients remote computers connecting to the server via the World Wide Web.

A session can be defined as the matched pair of a client request and a server response. While that sounds complicated, it is really quite simple. Each request made by a client is handled individually by a server. Multiple requests made by the same client are each treated as unique by the responding server.

In other words, the server does not attempt to maintain a connection with the client at any time. This element of HTTP is one of the reasons cross-site scripting attacks can be so successful. Once a server accepts a request and dynamically generates a web page with script injected by an attacker, it is too late. The potential for damage has already been done. For example, a search engine site accepts requests and then displays the results of the search criteria the user entered.

This may seem harmless. If so, the search engine is probably susceptible to a cross-site scripting attack. This is a common method attackers use to find vulnerable sites. To simulate an advanced cross-site scripting attack, we created an online banking site www. The attacker starts by searching a targeted web site for pages that return client-supplied data.

In this example, the attacker finds that when a login attempt fails, the FreeBank web application displays the username that was entered see Figures 1 and.


alm professional jobs in tigri



HP WebInspect Tutorial






Hp Webinspect Crack Serial Keygen


Related Articles