XSS attacks have become one of the most prevalent and dangerous security issue affecting web applications today. According to the Microsoft Security Intelligence Report Volume 13, there has been a significant increase in reported XSS cases over the past two years, to the point where XSS vulnerabilities have started to displace other types of reported vulnerabilities by percentage. An analysis of the vulnerabilities reported in the first half of 2012 revealed that 37% of all verified vulnerabilities involved XSS techniques that the Internet Explorer XSS Filter can mitigate.
XSS vulnerabilities occur whenever an application takes data that originated from a user and sends it to a web browser without first properly validating or encoding it. XSS attacks can be used to hijack user sessions, deface websites, conduct port scans on victims’ internal networks, conduct phishing attacks and/or take over users’ web browsers.
Take control over a Remote System via XSS
If you want to know how to defend, sometimes the best place to start is to know your enemy. At AusCERT 2013, WatchGuard director of security strategy Corey Nachreiner walked information security professionals through a couple of common tools and techniques that many hackers use on a very basic level.
Nachreiner walks through Rapid7's Metasploit tool, showing how even "script kiddies" can easily use it thanks to its relatively user-friendly graphical user interface.
Cross site scripting and SQL injection