CROSS-SITE SCRIPTING (XSS)
Cross-site scripting or XSS is a defined as a
computer security vulnerability found in web
XSS allows for code injection by malicious web
users into Internet pages viewed by other users.
In an XSS attack, the attacker gains the ability to
see private user IDs, passwords, credit card
information and other personal identification.
Cross-Site Scripting stems from the notion that a
malicious web site has the ability to load another
web site into another frame or window.
read or write data on the other web site.
There are three types of XSS vulnerabilities:
These holes show up when data provided by a
web client is used immediately by server-side
scripts to generate a page of results for that
When unvalidated user-supplied data has
been included in the resulting page without
HTML encoding, this will allow client-side
code to be injected into the dynamic page.
An example could be when an attacker
convinces a user to follow a malicious URL
that injects code into the results page; thus
giving the attacker full access to that page's
The Persistent or Type 2 XSS vulnerability allows
the most powerful kinds of attacks.
This form of vulnerability exists when data
provided to a web application by a user is first
stored on the server (database, filesystem, other
Eventually, this will be displayed to users in a web
page without being encoded using HTML entities.
parameter and uses this information to write some
HTML to its own page.
This information is not encoded using HTML
entities, an XSS hole will likely be present.
This written data will be re-interpreted by
browsers such as HTML and could include
additional client-side script .
In order to reduce the risk of identifying malicious
script, hackers encode with a different encoding
method, such as HEX.
Some web applications are written to function
without the need for client-side scripts.
In this way, potentially malicious client-side
scripts could be inserted unescaped on a page,
and users would not be susceptible to XSS attacks.
Many web applications rely on session cookies for
authentication between individual HTTP requests.
Because client-side scripts have access to cookies,
XSS exploits are able steal these cookies and
hinder business functions.
Web applications tie session cookies to the IP
address of the user who originally logged in; only
that IP address is permitted to use the particular
Input Validation is a common theme in application
It helps decipher other injection attacks such as
Effective for most types of input, yet when an
application by design must be able to accept
special HTML characters, HTML entity encoding is
the desired choice.
ESCAPING AND FILTERING
One way to eliminate XSS vulnerabilities is to
encode locally or at the server all user-supplied
HTML special characters.
Transform these character entities, in order to
prevent them from being interpreted as HTML.
Due to the flexibility and complexity of HTML,
other standards, and the continuous addition of
new features, it is impossible to determine if all
possible injections are terminated.
Do not follow links from sites that navigate to security-
sensitive pages referencing personal or business
Always practice obtaining a list of attacks that have
occurred on particular sites or messages boards.
User’s can disable scripting when not required in order
to reduce an XSS-style attack.
Do not trust links given on other sites such as e-mail or
Always access any site with sensitive information
through its address and not third party sites
Always practice using testing tools during the
design phase to eliminate XSS holes in the
Remedies such as input validation and HTML
escaping are essential, yet that must be
applied at all application points accepting
There is a misconception sometimes applied
to XSS holes in general which leads to a
disagreement in the security community as to
the importance of cross-site scripting