Word Notes 8.11.20
Ep 6 | 8.11.20

cross-site scripting (noun)


Rick Howard: The word is cross-site scripting.

Rick Howard: Definition: from the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing their victims browser.

Rick Howard: Example sentence: Within 20 hours, the Samy XSS attack of 2005 compromised over a million victims.

Rick Howard: Context: XXS takes advantage of the fact that roughly 90 percent of Web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious JavaScript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim's computer and the victim's browser runs the code.

Rick Howard: Simple example: a local neighborhood website, homeowners can store items they want to sell, like furniture, clothing and toys. A hacker could add an item to the board like an old desk, but also include malicious JavaScript in the details. When the legitimate neighbors click on the entry for the old desk, their web browser will show the desk entry, but will also run the JavaScript. A script could steal the victim's personal cookie and deliver it to another site on the Internet. The hacker could then use that cookie to perform actions on the neighborhood website with the same permissions of the victim.