If you are having trouble viewing this email, click here to view this online



   ISSUE 63

14 October 2016

Article of the Month Around the World

Are you sure about the links you click on the web?

Cross Site Scripting as a method of Phishing

Cross site scripting (XSS)

Cross site scripting is regarded as one of the most dangerous types of cyber-attacks in the current world. Some important things that can be done via a cross site scripting including session hijacking, Escalating the user credentials (Username, Password), Site redirection or anything which is possible with a client side execution code (JavaScript).

Here the attacker uses basic vulnerabilities of the system with his knowledge on client side scripting (JavaScript) in order to build a Link, which on click (By victim) escalates data from the victim. Then the escalated data is redirected to the victim�s server. These escalated data are then used by the attacker in order to masquerade and log in to the victim�s system.

There are 3 types of XSS attacks,

1. Stored XSS
2. Reflected XSS
3. DOM based XSS

Stored XSS

The link is usually attached to the web pages via comment boxes or via a server side injection. Storing the script within a database is also considered under this category.


Reflected XSS

Immediate return of a web page after an error message can be considered under Reflected XSS.


DOM based XSS

DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser.

Most of the sites in the web maintain their stateless http to a stately one with the use of cookies or sessions. Using these sessions, the state of a user at a given period of time is maintained. Sessions or cookies are used to keep records on the things that they are done over a past period of time. By using these they maintain a certain amount of private data belonging into their user profile over a given amount of time. Using a session hijacking attempt this session id is used with the necessary privileges.
Through XSS, cookies can be hijacked too. The same scenario as sessions escalation is used in this attempt. But rather than sessions, cookies do carry raw data as a whole, unless they are separately encrypted. Therefore, there is a possibility that raw data such as username, privileged level can be extracted from them as well. Therefore, by using them with another method of attacking such as a brute force attempt the passwords can be retrieved as well.

Therefore, XSS scripting can be more than harmful once these sensitive data are extracted.

Except for session and cookie hijacking, XSS is used for the purposes of redirecting the users to phishing sites or other links. Most phishing sites appear as identical sites to some popular sites, however they can be usually identified by examining its URL in the address bar.


Therefore, XSS scripting can be more than harmful once these sensitive data are extracted.

Except for session and cookie hijacking, XSS is used for the purposes of redirecting the users to phishing sites or other links. Most phishing sites appear as identical sites to some popular sites, however they can be usually identified by examining its URL in the address bar.



Rather than blaming the user�s unawareness, XSS are faults of developers. Proper validation checks should be done on both the client side and the server side such that even application of XSS JavaScript code through interception can be prohibited. These validations should be done in order to prevent insertion of JavaScript code. Validation has to be on client�s side as well as from the database side, such that it can prevent improper manipulation of code.

However as regular users it�d be better for anyone if verification of the links can be done before clicking anything, otherwise you may lose control of details from your personal life to bank account details.



Pasan Chamiekara

Pasan is an undergraduate of Sri Lanka Institute of Information Technology following Bachelor of Science specializing in Cyber Security and currently working as Intern - Information Security at Sri Lanka CERT|CC











1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru

  11 of the best cloud management tools for business 2016: How to manage your cloud computing usage and costs
   "....Most cloud computing platforms run a pay-as-you-go model and this can make managing the general usage and costs difficult. We have compiled a list of cloud computing management tools for businesses that aim to manage costs, usage and ultimately optimise the cloud...."

Research: Companies fear mobile devices as massive cybersecurity threat


"...According to an online poll conducted by Tech Pro Research in June, everyday threats like security breaches involving mobile devices are more worrisome than acts of cybercrime. More results from this research are presented in the infographic below:...."


'...Last weekend, cellphones across Iraq lit up with the same text message. �Dear subscriber,� the message read in Arabic. �On instructions from the Ministry of Communications, internet access will be cut off every day between October 1 and 8, from 6 to 9 a.m. These instructions were issued to every internet service provider...'

17 tools to protect your online security


'....Last month's news about the massive data breach at Yahoo, which affected at least 500 million user records, making it the largest data breach on record, might finally be what it takes to get the average internet user to take online security into their own hands � if only they knew how.....'

Trade of online gaming currencies fuels cybercrime


'....Though the majority of gaming companies prohibit the real-money trading of online gaming currencies, the practice is still widespread, and according to Trend Micro researchers, the money that cybercriminals earn through it is used to mount DoS attacks, spam campaigns, perpetrate identity theft and financial fraud against a variety of business and organizations, and so on....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in September  2016
  Statistics - Sri Lanka CERT|CC


'"...A joint statement from Department of Homeland Security and the intelligence community point the finger at the Russian government for authorizing the recent hacks that compromised the Democratic National Committee and other political institutions. ...'

Classified U.S. Defense Network Outage Hits Air Force�s Secret Drone Operations

'...he Air Force is investigating the connection between the failure of its classified network, dubbed SIPRNet, at Creech Air Force Base and a series of high-profile airstrikes that went terribly wrong in September this year.
Creech Air Force Base is a secret facility outside Las Vegas, where military and Air Force pilots sitting in dark and air-conditioned rooms, 7100 miles from Syria and Afghanistan, remotely control their "targeted killing" drone campaign in a video-game-style warfare.....'

'Suspicious' timing for Yahoo to disable auto-forwarding, source

"...Yahoo users attempting to switch email accounts to rival providers are having a hard time of it due to the fact that Yahoo Mail's automatic email forwarding feature � which enables users to forward a copy of incoming emails from their Yahoo account to an external competitor � was disabled in the first week of October, according to a post by independent computer security analyst Graham Cluley......"
Spurned in India, Facebook Is Now Shopping Its Free Internet Program in the U.S

'...Is Facebook a socially minded company that wants to help close America�s embarrassing digital divide? Or is it a cynical corporation looking to foist its branded version of the Internet on people in the hopes that they become revenue-generating users?

The truth may be a bit of both. According to the Washington Post, Facebook is trying to get officials in the White House on board with its Free Basics program, in which the company partners with mobile providers to give users free access to a limited number of apps and websites, like Wikipedia and Facebook...."
Notice Board
  Training and Awareness Programmes - October  2016
18-10-2016 Trainers Training on School Internet safety readiness Team( EduCSIRT) Hotel Miraj, Colombo 6

Brought to you by: