SlideShare a Scribd company logo

Cross site scripting

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - October 2012 Meet

1 of 15
Download to read offline
Cross Site Scripting Badrish Dubey badrish007@gmail.com securetechpoint.blogspot.in
INTRODUCTION  XSS was firstly discovered around 1996 and is still in the top ten vulnerability list for the web applications  Rated 2nd in OWASP (Open Web Application Security Project) TOP 10  8th in the list of threat classification v2.0 for WASC (Web Application Security Consortium)  Grouped under client side ATTACK
What XSS can do!!!!  Stealing cookies, this is also known as Session Hijacking.  Redirecting the users to another websites.  Displaying completely different contents on your website.  Performing port scans of the customer’s internal network, which may lead to a full intrusion attempt.  Denting the REPUTATION and GOODWILL of the organization.  Can lead Huge PENALITY AMOUNT which can affect the continuity of business
Different flavors of XSS 1. Reflected Cross Site Scripting (Non Persistence) 2. Stored Cross Site Scripting (Persistence) 3. DOM based Cross Site Scripting In rest of the presentation we would be talking about the Reflected and Stored Cross site scripting.
Reflected XSS Reflected XSS, also known as, Non–Persistence XSS or TYPE 1 XSS, is the case of attack that doesn't load with the vulnerable web application but is originated by the victim loading the offending URL. Now lets us see how the Reflected XSS takes place.
Reflected XSS
 DEMO TIME 
Stored XSS Stored XSS is also known as Persistence XSS or TYPE 2 XSS. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data storage for later use. The input, that is stored, is not correctly filtered. As a consequence, the malicious data will appear to be the part of the web site and runs within the user’s browser under the privileges of the web application.
Stored XSS
 DEMO TIME 
How to DETECT XSS 1. BLACK BOX TESTING  Using web application scanner (Automated)  Manually Testing 2. WHITE BOX TESTING  Code analysis
How to PREVENT XSS 1. Encode output, based on, input parameters 2. Filter input parameters for special characters 3. Filter output, based on, input parameters for special characters 4. White list the Input
Defense IN-DEAPTH (HttpOnly) • Set the HTTPOnly flag on your session cookie and on any custom cookie that you don’t want to be accessed by any javascript. • When you mark your cookie as HttpOnly, then it is not accessible via javascript. • In case after taking all the measures for XSS, if it still executes, then HttpOnly flag minimizes the damage.
References • OWASP:- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • WASC:- http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Script ing • Wikipedia:- http://en.wikipedia.org/wiki/Cross-site_scripting • CERT Advisory:- http://www.cert.org/advisories/CA-2000-02.html • You can also find this complete article on my blog (http://securetechpoint.blogspot.in/) and also you can get this in haking9 magazine http://hakin9.org/pentesting-with-android-exploiting- software-0612/
BE SAFE AND BE SECURE •

Recommended

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 

Recommended

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Manish Kumar
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
Soumyasanto Sen
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 

More Related Content

What's hot

Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Manish Kumar
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 

What's hot (20)

Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 

Viewers also liked

Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement Techniques
Ronan Dunne, CEH, SSCP
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

Viewers also liked (14)

XSS
XSSXSS
XSS
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Content security policy
Content security policyContent security policy
Content security policy
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Xss
XssXss
Xss
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement Techniques
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 

Similar to Cross site scripting

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
Aung Khant
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 

Similar to Cross site scripting (20)

Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
 
4.Xss
4.Xss4.Xss
4.Xss
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Not only a XSS
Not only a XSSNot only a XSS
Not only a XSS
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Cross site scripting

  • 1. Cross Site Scripting Badrish Dubey badrish007@gmail.com securetechpoint.blogspot.in
  • 2. INTRODUCTION  XSS was firstly discovered around 1996 and is still in the top ten vulnerability list for the web applications  Rated 2nd in OWASP (Open Web Application Security Project) TOP 10  8th in the list of threat classification v2.0 for WASC (Web Application Security Consortium)  Grouped under client side ATTACK
  • 3. What XSS can do!!!!  Stealing cookies, this is also known as Session Hijacking.  Redirecting the users to another websites.  Displaying completely different contents on your website.  Performing port scans of the customer’s internal network, which may lead to a full intrusion attempt.  Denting the REPUTATION and GOODWILL of the organization.  Can lead Huge PENALITY AMOUNT which can affect the continuity of business
  • 4. Different flavors of XSS 1. Reflected Cross Site Scripting (Non Persistence) 2. Stored Cross Site Scripting (Persistence) 3. DOM based Cross Site Scripting In rest of the presentation we would be talking about the Reflected and Stored Cross site scripting.
  • 5. Reflected XSS Reflected XSS, also known as, Non–Persistence XSS or TYPE 1 XSS, is the case of attack that doesn't load with the vulnerable web application but is originated by the victim loading the offending URL. Now lets us see how the Reflected XSS takes place.
  • 8. Stored XSS Stored XSS is also known as Persistence XSS or TYPE 2 XSS. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data storage for later use. The input, that is stored, is not correctly filtered. As a consequence, the malicious data will appear to be the part of the web site and runs within the user’s browser under the privileges of the web application.
  • 11. How to DETECT XSS 1. BLACK BOX TESTING  Using web application scanner (Automated)  Manually Testing 2. WHITE BOX TESTING  Code analysis
  • 12. How to PREVENT XSS 1. Encode output, based on, input parameters 2. Filter input parameters for special characters 3. Filter output, based on, input parameters for special characters 4. White list the Input
  • 13. Defense IN-DEAPTH (HttpOnly) • Set the HTTPOnly flag on your session cookie and on any custom cookie that you don’t want to be accessed by any javascript. • When you mark your cookie as HttpOnly, then it is not accessible via javascript. • In case after taking all the measures for XSS, if it still executes, then HttpOnly flag minimizes the damage.
  • 14. References • OWASP:- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • WASC:- http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Script ing • Wikipedia:- http://en.wikipedia.org/wiki/Cross-site_scripting • CERT Advisory:- http://www.cert.org/advisories/CA-2000-02.html • You can also find this complete article on my blog (http://securetechpoint.blogspot.in/) and also you can get this in haking9 magazine http://hakin9.org/pentesting-with-android-exploiting- software-0612/
  • 15. BE SAFE AND BE SECURE •