436_XSS_06.qxd
228
4/20/07
10:51 AM
Page 228
Chapter 6 • XSS Exploited javascript:windowOpener("http://www.evilsite.com","Offender Details", 200, 200)
The fact that an attacker can put anyone’s name and address into these types of Web pages is very disturbing. A typical user would have no idea they were being duped into believing something fake. Unfortunately, this is just one of many ways that a XSS attack could be abused to tarnish a person’s reputation. We selected this particular target as an example to drive home the point that XSS can truly be malicious in the wrong hands.
Equifraked There are only a few numbers you need to be concerned about in the consumer world.The first is your social security number, simply because it is how most every company and agency in the government keeps track of you.The second number is your credit score, which is essentially a numerical value that represents your proven ability to pay off your bills on time. In the US, there are only three companies that keep track of this value—Experian, Equifax, and TransUnion. Since this service has such an impact on a person’s life, you can request one free copy of your credit history from each of the rating companies each year.This request does not include your credit score, but it will give you the chance to clear up mistakes or problems with your credit history before you try to get a mortgage or car loan. However, in order to obtain this information, you have to prove who you are via a screen similar to Figure 6.4 that asks for your SSN, birth date, user account information, and more.
Figure 6.4 Equifax Identity Validation