Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks allow attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability can be used by attackers to bypass access controls. Cross-site scripting accounted for about 84% of all documented security vulnerabilities through 2007.
XSS effects range from minor annoyances to significant security risks, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site owner's network.
Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or the plug-in systems they rely on. By exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content reaches the client-side browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system.
Compromised Access Privilege
By finding ways to inject malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information held by the browser on behalf of the user.
SQL injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL instructions are inserted into an input field for execution (e.g., to dump database contents to the attacker). SQL injection is supposed to exploit a security vulnerability in an application's software, for example, when user input is incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
Spoof identity
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation problems such as voiding transactions or changing balances, allow complete disclosure of all data on the system, destroy data or otherwise make it unavailable, and become database server administrators.
Volume of SQLi Attacks
In a 2012 study, it was noted that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.
As an example: In February 2002, Jeremiah Jacks discovered that Guess.com was vulnerable to an SQL injection attack, permitting anyone able to construct a properly-crafted URL to pull down 200,000+ names, credit card numbers and expiration dates in the site's customer database.
Conclusion
Typically, XSS and SQL Injection attacks allow the attacker to obtain sensitive company data in order to blackmail or demand ransom for not disclosing the information. XSS and SQLi are common and very frequent attacks on web applications, which, when executed accurately, can bring a very high damage to the company's image, as well as considerable financial losses. Keeping the databases secure and the systems patched are essential measures for the prevention of these attacks.
Comments