Cross Site Scripting & Cross Site Request Forgery Flashcards
What is Cross Site Scripting (XXS) and what are the 3 different types of XXS attacks?
Occurs when an attacker embeds malicious scripts onto a trusted website.
There are 3 types of XXS attacks:
Stored/Persistent
Reflected
DOM-Based
Note: The attacker is trying to get elevated privileges, steal information from cookies, or steal other information from the users browser. This is an attack on a user, not a server.
Note: The user is generally attacked via connecting to a compromised trusted website. The user connects, the code on the compromised website is downloaded by the user and the attacker gains access.
What is a Stored/Persistent XXS attack?
Attempts to get data provided by the attacker to be saved on the web server by the victim.
What is a Reflected XXS attack?
Attempts to have a non-persistent effect activated by a victim clicking a link on the site.
What is a DOM-Based XXS attack?
Attempts to exploits the victim’s web browser.
Note: Often called a “client side XXS” attack. The DOM is a part of the users web browser.
How do you prevent XSS attacks?
With output encoding and proper input validation.
What is Cross-Site Request Forgery? (XSRF/CSRF)
Occurs when an attacker forces a user to execute actions on a web server for which the user is already authenticated to.
Note: If you are connected/authenticated to your bank for example, the attacker sends a command to the bank via your authentication and it appears as if the command came from you.
How do you prevent XSRF attacks?
Programmers should require special Tokens on web pages such as captcha’s, Encryption, XML file scanning, and Cookie Verification.