- Source: Self-XSS
Self-XSS (self cross-site scripting) is a type of security vulnerability used to gain control of victims' web accounts. In a Self-XSS attack, the victim of the attack runs malicious code in their own web browser, thus exposing personal information to the attacker.
Overview
Self-XSS operates by tricking users also into copying and pasting malicious content into their web browser. This includes both where a user copies a payload into an input, and in the web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to receive virtual rewards or hack a website. In fact, the code allows the attacker to hijack the victim's account. Self-XSS usually has very low impact, however, chaining it with a cross-site request forgery vulnerability escalates its impact to that of typical cross-site-scripting.
History and mitigation
In the past, a very similar attack took place, in which users were tricked into pasting malicious JavaScript into their address bar. When browser vendors stopped this by preventing easily running JavaScript from the address bar, attackers started using Self-XSS in its current form. Web browser vendors and web sites have taken steps to mitigate this attack. Firefox and Google Chrome have both begun implementing safeguards to warn users about Self-XSS attacks. Facebook and others now display a warning message when users open the web developer console, and they link to pages explaining the attack in detail.
Etymology
The "self" part of the name comes from the fact that the user is attacking themselves. The "XSS" part of the name comes from the abbreviation for cross-site scripting, because both attacks result in malicious code running on a legitimate site. However, Self-XSS has much less impact than most other XSS vulnerabilities because it relies on social engineering. Additionally, the risk of Self-XSS arising from using the web developer console cannot be eliminated by the site operator, unlike other XSS vulnerabilities which can be solved.
References
Further reading
McCaney, Kevin (November 16, 2011). "4 ways to avoid the exploit in Facebook spam attack". GCN. 1105 Public Sector Media Group. Retrieved September 28, 2014.
Kata Kunci Pencarian:
- Self-XSS
- Cross-site scripting
- Computer virus
- JavaScript
- Cross-site request forgery
- Single-page application
- Clickjacking
- Computer worm
- Esoteric programming language
- PHPMailer
