The Aftermath of the Heartbleed Bug

The Heartbleed bug, a security flaw in the popular OpenSSL library used for data encryption, has taken the web security world by storm, and the victim toll has started to rise. The first reported victims include the Canada Revenue Agency (with 900 social security numbers stolen) and Mumsnet, a popular UK website with over 1.5 […]

Read More →

Elaborate Ways to Exploit XSS: XSS Proxies

In his book “Web Application Vulnerabilities: Detect, Exploit, Prevent”, Steve Palmer describes XSS Proxies as cross-site scripting exploitation tools that allow attackers to temporarily take control over the victim’s browser. XSS Proxy functions as a web server which takes commands from the attacker via a web browser, delivering malicious JavaScript payloads to and retrieving information […]

Read More →

CSRF and XSS – Brothers in Arms

What is CSRF (XSRF)? Cross-Site Request Forgery is a type of web attack which exploits the trust of a website in the user’s browser. In essence, the attacker manipulates the victim’s browser to send requests in the user’s name to websites that have been visited or are currently open, without the victim knowing what is […]

Read More →

Elaborate Ways to Exploit XSS: Flash Parameter Injection

Common Cross-site scripting (XSS) attacks rely on the injection of malicious code (usually JavaScript) in HTML pages, HTML headers or page DOM. There are, however, ways of injecting malicious code in less likely, very popular and innocent-looking places, such as Flash objects. The use of Flash objects has dramatically increased over the last years, with […]

Read More →

Persistent Cross-Site Scripting

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS.  In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application. XSS vulnerabilities are the most common type of input validation […]

Read More →

The ROI of Protecting Against Cross-site Scripting

The ways in which your organization can be damaged by Cross-site Scripting (XSS) attacks are endless. Apart from the damage it can cause on its own, successful cross-site scripting can be used as a platform for delivering even more devastating attacks. First, the attack impacts your users and/or employees and may have serious repercussions on […]

Read More →

Non-Persistent Cross-site Scripting

Non-Persistent cross-site scripting (XSS), also known as Reflected XSS, is one of the three major categories of XSS attacks, the others are; persistent (or Stored) XSS and DOM-based XSS.  In general, XSS attacks are based on the victim’s browser trust in a legitimate, but vulnerable website or web application (the general XSS premises). The reflected […]

Read More →

ClickJacking and Blind XSS

What you see is NOT what you get! In essence, ClickJacking (or UI redressing) is a technique used by attackers to trick users into clicking on malicious web pages that they wouldn’t have accessed otherwise, by overlaying them on apparently legitimate web pages and hiding them from sight. When ClickJacking is successful, it can have […]

Read More →

Universal Cross-site Scripting (UXSS): The Making of a Vulnerability

What is Universal Cross-site Scripting (UXSS)? Common cross-site scripting (XSS) attacks target websites or web applications that are vulnerable to XSS, because of inadequate development of client-side or server-side code. These attacks have the vulnerable web page as main prerequisite, and their effect is always revolving around the user session on the vulnerable web page […]

Read More →