Your SlideShare is downloading. ×
Cross site scripting (xss)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cross site scripting (xss)

260
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
260
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CROSS-SITE SCRIPTING (XSS)
  • 2. OVERVIEW  INTRODUCTION  XSS VULNERABILITIES  AVOIDING XSS VULNERABILITIES  CONCLUSION  REFERENCES
  • 3. CROSS-SITE SCRIPTING (XSS)  Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.  XSS allows for code injection by malicious web users into Internet pages viewed by other users.  In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.
  • 4. XSS VULNERABILITIES  Cross-Site Scripting stems from the notion that a malicious web site has the ability to load another web site into another frame or window.  This is accomplished by JavaScript which is used to read or write data on the other web site.  There are three types of XSS vulnerabilities:  Non-Persistent  Persistent  DOM-Based
  • 5. NON-PERSISTENT  These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user  When unvalidated user-supplied data has been included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.  An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.
  • 6. PERSISTENT  The Persistent or Type 2 XSS vulnerability allows the most powerful kinds of attacks.  This form of vulnerability exists when data provided to a web application by a user is first stored on the server (database, filesystem, other location).  Eventually, this will be displayed to users in a web page without being encoded using HTML entities.
  • 7. DOM-BASED  Piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page.  This information is not encoded using HTML entities, an XSS hole will likely be present.  This written data will be re-interpreted by browsers such as HTML and could include additional client-side script .
  • 8. AVOIDING XSS VULNERABILITIES  Eliminating scripts  Cookie security  Input validation  Escaping and filtering
  • 9. ELIMINATING SCRIPTS  In order to reduce the risk of identifying malicious script, hackers encode with a different encoding method, such as HEX.  Some web applications are written to function without the need for client-side scripts.  In this way, potentially malicious client-side scripts could be inserted unescaped on a page, and users would not be susceptible to XSS attacks.
  • 10. COOKIE SECURITY  Many web applications rely on session cookies for authentication between individual HTTP requests.  Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.  Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.
  • 11. INPUT VALIDATION  Input Validation is a common theme in application development.  It helps decipher other injection attacks such as SQL injection.  Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.
  • 12. ESCAPING AND FILTERING  One way to eliminate XSS vulnerabilities is to encode locally or at the server all user-supplied HTML special characters.  Transform these character entities, in order to prevent them from being interpreted as HTML.  Due to the flexibility and complexity of HTML, other standards, and the continuous addition of new features, it is impossible to determine if all possible injections are terminated.
  • 13. AVOIDING XSS VULNERABILITIES  Do not follow links from sites that navigate to security- sensitive pages referencing personal or business information.  Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.
  • 14. AVOIDING XSS VULNERABILITIES  User’s can disable scripting when not required in order to reduce an XSS-style attack.  Do not trust links given on other sites such as e-mail or message boards.  Always access any site with sensitive information through its address and not third party sites
  • 15. CONCLUSION  Always practice using testing tools during the design phase to eliminate XSS holes in the application.  Remedies such as input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.  There is a misconception sometimes applied to XSS holes in general which leads to a disagreement in the security community as to the importance of cross-site scripting vulnerabilities.