XSS: Loading a https logon form over http

Ok, so I saw this on twitter and I decided to take a look at it:

The response from EnglishNationalOpera was amazing, I couldn’t believe it:

Now, you are probably thinking “What’s going on?” – It’s simple, EnglishNationalOpera does not understand the risks of having a https logon form being loaded over http.

The Explanation:

Loading a https logon form over a http connection makes the website and people who visit that website vulnerable to XSS attacks. XSS (Short for Cross Site Scripting) is a client-side script that when exexcuted, performs a malicious action in the clients web browser.

Most of the time, attackers who exploit this XSS vulnerability will attempt to steal customers’ cookies, which (if you dont know what a cookie does) holds sensitive data, such as usernames, passwords and session ids. Another thing that attackers usually do is redirect customers off to a potentially malicious website.

How dangerous is XSS?

Well, lets put it this way, Facebook and other companies offer bounties (Money) to people who find and report XSS vulnerabilities. Over 50% of websites are vulnerable to XSS.

How can I avoid XSS attacks?

  1. Don’t click on random links on social media websites (Especially Facebook, over 53% of all phishing attacks are from people on Facebook)
  2. Try to avoid shortened or obfuscated links (Such as bitly or adfly)
  3. If you see a website with a logon form and a http address. Then report it to the website owner/hoster.
  4. If you own a website, make sure that everything is loaded over https. (Even your advertisements if you have any) Some XSS attacks are from someone comprimising your adverts, because most adverts are loaded over http.
  5. If you own a website and your website uses cookies, make sure that the cookies are http only, this will stop attackers stealing the cookies, as http only cookies cannot be accessed by the client. This will prevent some XSS attacks to your website. XSS is a client side script, but since the http only cookies cannot be accessed by the client, the XSS attack will not affect your customer if the XSS script is trying to access the cookies to your website.

An example of an XSS attack would be this. Note that the link you see there is a safe and non-malicious.


XSS should not be underestimated, a few years ago, someone created an XSS worm on MySpace, which infected over 1 million PCs in the space of about a week. This worm rose awareness of XSS in the web security community, however the amount of XSS attacks are still growing, which is why we need everyone to be aware of it.

Note that it’s a good idea to clear your cookies, form data and history regularly to be safe of XSS.

Thanks to Troy Hunt, he informed me about XSS through his YouTube videos here.



3 thoughts on “XSS: Loading a https logon form over http

    1. Temporarily disabling or turning off cookies will not affect an XSS attack, you can either delete them or flag them as http only to stop an XSS attack.

      There is an option to turn all cookies off in most browsers, as for a plugin, I do not know any that do that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s