Downloaded 16 times
![Who’s affected by cross-site scripting?
• Everyone. No, really – almost every site you can think of has had XSS
problems at one time or another (and probably still does) :
• Universal XSS in Internet Explorer (2015) [1]
• Tweetdeck (2014) [2]
• PayPal (2013) – BONUS: discovered by a 17 year old kid [3]
• Google Finance (2013) [4]
• 25 “Verasign-secured” online stores (2012) [5]
• McAfee (2011) [6]
• Visa (2010) [7]](https://image.slidesharecdn.com/crosssitescripting-170419071007/85/Cross-site-scripting-4-320.jpg)
![Reflected XSS:
• <?php
(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL ||
$_GET['name'] == ''){
• $isempty = true;
• } {
•
• echo '<pre>';
• echo 'Hello ' . $_GET['name'];
• echo '</pre>'; }
• http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3
Ealert%28%22hello%22%29%3C%2Fscript%3E#](https://image.slidesharecdn.com/crosssitescripting-170419071007/85/Cross-site-scripting-7-320.jpg)
Cross site scripting
Cross-site scripting (XSS) is a type of web application vulnerability where malicious scripts are injected into otherwise benign web pages. There are three main types of XSS attacks: stored XSS, reflected XSS, and DOM-based XSS. XSS vulnerabilities have affected many major websites and can enable account hijacking, cookie theft, and other malicious activities. Developers can prevent XSS by encoding untrusted inputs, validating inputs, and using security libraries that filter malicious scripts.
More Related Content
Similar to Cross site scripting
![谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]](https://cdn.slidesharecdn.com/ss_thumbnails/top233-260130173900-2eb784f9-thumbnail.jpg?width=640&height=640&fit=bounds)
Cross site scripting
- 2. What is cross-sitescripting? • Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source
- 3. Why should Icare about cross-site scripting? • The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
- 4. Who’s affected bycross-site scripting? • Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) : • Universal XSS in Internet Explorer (2015) [1] • Tweetdeck (2014) [2] • PayPal (2013) – BONUS: discovered by a 17 year old kid [3] • Google Finance (2013) [4] • 25 “Verasign-secured” online stores (2012) [5] • McAfee (2011) [6] • Visa (2010) [7]
- 5. Bielive it ornot : • 45884 total xss • 3026 fixed
- 6. Type of XSS: • XSS can be used in a range of ways to cause serious problems. 1 : Stored XSS : The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application. 2 : Reflected XSS: The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request 3 : DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM)
- 7. Reflected XSS: • <?php (!array_key_exists("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){ • $isempty = true; • } { • • echo '<pre>'; • echo 'Hello ' . $_GET['name']; • echo '</pre>'; } • http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3 Ealert%28%22hello%22%29%3C%2Fscript%3E#
- 8.
- 9. DOM XSS :this page was to search page Attacker Inject Code that display image intead of search victum see a image
- 10. Some example howXSS serve :
- 12. Methods of preventingXSS • Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below: • & –> & • < –> < • > –> > • ” –> " • ‘ –> ' • / –> / • Validation : which filters the user input so that the browser interprets it as code without malicious commands
- 13. Open Source Librariesfor Preventing XSS Attacks • PHP AntiXSS : his is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. • xss_clean.php filter : This is a strong XSS filter that cleans various URF encodings and nested exploits. • HTML Purifier : This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks. • XSS Prevention Rules by OWASP
- 14. Refrence : • 1: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • 2: https://en.wikipedia.org/wiki/Cross-site_scripting • 3 : https://www.acunetix.com/websitesecurity/xss/ • 4 : http://excess-xss.com/ • 5:https://www.google.com.pk/search?q=Persistent+XSS&source=lnms&tb m=isch&sa=X&ved=0ahUKEwi2hqXdjpzTAhWCro8KHRF7AdUQ_AUICCgB& biw=1366&bih=676#imgdii=x-ReLnly4hYDrM:&imgrc=v0wp7b1CE1M5sM: • 6 : https://www.acunetix.com/websitesecurity/cross-site-scripting/
- 15. Refrence : • 7: https://code.google.com/p/php-antixss/ • 8:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventi on_Cheat_Sheet