Cross Site Scripting Attacks
Kaplan University
IT542
Ethical Hacking and Network Defense
Unit 3 Assignment
Cross-scripting Attacks
Jamie Carter
Professor North
Cross-Site Scripting Attacks
1.
Penetration testing on web servers and applications is extremely important to ensure the application or server is not vulnerable to any of the 5 known main issues. These issues include SQL injection, "cross site scripting (XSS)", username enumeration, string format weaknesses, and remote code implementation (Symantec, 2006).
2.
This type of attack uses a vulnerability to inject code. The content injected is not under the control of the attacker. The attack takes place when a third party user accesses the content causing it to be executed (Google, 2010).
3.
These attacks are the most common. This type of attack requires the victim to click or use other input to initiate the attack (Sawyer, 2009). These inputs use a link set by the attacker to bounce a signal through the victims web browser and execute the attack.
4.
The most common methods of obfuscation are numeric variance, character scrambling, nulling, aggregating, encoding, artificial data generating, and repeating of the character masking process (Magnabosco, 2009). These methods rely on functions that exist in the SQL system server.
5. The most common application exploit or attack is through SQL injection. This type of attack can be countered by removing the ability to run direct SQL queries through input and having a thorough exception handling principles in the applications. Closing the window on weakness through exception handling vulnerabilities will help secure against SQL injection.
6.
Audits and account activity logs are the best way to check production databases for attacks and injections. The audits will help to ensure the code has not changed. Ensuring there are no unauthorized changes in the coding will help to prevent injection attacks, also ensuring exception handling measures are
IT542
Ethical Hacking and Network Defense
Unit 3 Assignment
Cross-scripting Attacks
Jamie Carter
Professor North
Cross-Site Scripting Attacks
1.
Penetration testing on web servers and applications is extremely important to ensure the application or server is not vulnerable to any of the 5 known main issues. These issues include SQL injection, "cross site scripting (XSS)", username enumeration, string format weaknesses, and remote code implementation (Symantec, 2006).
2.
This type of attack uses a vulnerability to inject code. The content injected is not under the control of the attacker. The attack takes place when a third party user accesses the content causing it to be executed (Google, 2010).
3.
These attacks are the most common. This type of attack requires the victim to click or use other input to initiate the attack (Sawyer, 2009). These inputs use a link set by the attacker to bounce a signal through the victims web browser and execute the attack.
4.
The most common methods of obfuscation are numeric variance, character scrambling, nulling, aggregating, encoding, artificial data generating, and repeating of the character masking process (Magnabosco, 2009). These methods rely on functions that exist in the SQL system server.
5. The most common application exploit or attack is through SQL injection. This type of attack can be countered by removing the ability to run direct SQL queries through input and having a thorough exception handling principles in the applications. Closing the window on weakness through exception handling vulnerabilities will help secure against SQL injection.
6.
Audits and account activity logs are the best way to check production databases for attacks and injections. The audits will help to ensure the code has not changed. Ensuring there are no unauthorized changes in the coding will help to prevent injection attacks, also ensuring exception handling measures are
References: Google, (2010). Cross-site scripting (XSS). Retrieved from http://google-gruyere.appspot.com/part2 Magnabosco, J. (2009). Obfuscating your SQL Server Data. Retrieved from https://www.simple-talk.com/sql/database-administration/obfuscating-your-sql-server-data/ Sawyer, J. (2009).Tech insight: XSS exposed. Retrieved from http://www.darkreading.com/applications/tech-insight-xss-exposed/219501411 Symantec, (2006). Five common web application vulnerabilities. Retrieved from http://www.symantec.com/connect/articles/five-common-web-application-vulnerabilities