Cross site scripting (xss)


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cross site scripting (xss)

  3. 3. CROSS-SITE SCRIPTING (XSS)  Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.  XSS allows for code injection by malicious web users into Internet pages viewed by other users.  In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.
  4. 4. XSS VULNERABILITIES  Cross-Site Scripting stems from the notion that a malicious web site has the ability to load another web site into another frame or window.  This is accomplished by JavaScript which is used to read or write data on the other web site.  There are three types of XSS vulnerabilities:  Non-Persistent  Persistent  DOM-Based
  5. 5. NON-PERSISTENT  These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user  When unvalidated user-supplied data has been included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.  An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.
  6. 6. PERSISTENT  The Persistent or Type 2 XSS vulnerability allows the most powerful kinds of attacks.  This form of vulnerability exists when data provided to a web application by a user is first stored on the server (database, filesystem, other location).  Eventually, this will be displayed to users in a web page without being encoded using HTML entities.
  7. 7. DOM-BASED  Piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page.  This information is not encoded using HTML entities, an XSS hole will likely be present.  This written data will be re-interpreted by browsers such as HTML and could include additional client-side script .
  8. 8. AVOIDING XSS VULNERABILITIES  Eliminating scripts  Cookie security  Input validation  Escaping and filtering
  9. 9. ELIMINATING SCRIPTS  In order to reduce the risk of identifying malicious script, hackers encode with a different encoding method, such as HEX.  Some web applications are written to function without the need for client-side scripts.  In this way, potentially malicious client-side scripts could be inserted unescaped on a page, and users would not be susceptible to XSS attacks.
  10. 10. COOKIE SECURITY  Many web applications rely on session cookies for authentication between individual HTTP requests.  Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.  Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.
  11. 11. INPUT VALIDATION  Input Validation is a common theme in application development.  It helps decipher other injection attacks such as SQL injection.  Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.
  12. 12. ESCAPING AND FILTERING  One way to eliminate XSS vulnerabilities is to encode locally or at the server all user-supplied HTML special characters.  Transform these character entities, in order to prevent them from being interpreted as HTML.  Due to the flexibility and complexity of HTML, other standards, and the continuous addition of new features, it is impossible to determine if all possible injections are terminated.
  13. 13. AVOIDING XSS VULNERABILITIES  Do not follow links from sites that navigate to security- sensitive pages referencing personal or business information.  Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.
  14. 14. AVOIDING XSS VULNERABILITIES  User’s can disable scripting when not required in order to reduce an XSS-style attack.  Do not trust links given on other sites such as e-mail or message boards.  Always access any site with sensitive information through its address and not third party sites
  15. 15. CONCLUSION  Always practice using testing tools during the design phase to eliminate XSS holes in the application.  Remedies such as input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.  There is a misconception sometimes applied to XSS holes in general which leads to a disagreement in the security community as to the importance of cross-site scripting vulnerabilities.