This document discusses cross-site scripting (XSS) attacks. XSS is one of the most common web attacks, operating in the user's browser. It can cause issues like account hijacking or installing malware. There are three main types of XSS attacks. The attacks work by injecting malicious scripts into web pages that are then executed when a user visits the page. Proper input validation and output encoding are recommended to prevent XSS attacks. Developers should filter and encode all untrusted user input to avoid having malicious scripts injected into their applications.

1. XSS
Ayman Babiker

2. You Should Already
Know
• HTML.
• JavaScript.
• PHP, ASP… etc.

3. Cross Site Scripting (XSS)
• One of the most common application-layer web
attacks.
• Operates on the client-side (in the user‟s web
browser).
• 13% of total hacking technics (in 2011).
• Neglected by the developers. WHY ?!.
• Executed every time the page is loaded.
• JavaScript, VBScript, ActiveX, HTML, or Flash.

4. Cross Site Scripting (XSS)
• XSS can cause a variety of problems for the
end user (annoyance “alerts” ~ complete
account compromise “session hijacking”).
• Installation of Trojan horse programs.
• Page modification and redirection.

5. XSS types
• Stored XSS Attacks.
• Reflected XSS Attacks.
• DOM Based XSS.

8. How it works
<form method=“get” action=“index.php”>
<input name=“hack_me” />
<input type=“submit” value=“Submit” />
</form>

9. How it works
<?php
$txt=$_GET[„hack_me‟];
echo $txt; // echo “<script>alert("Hacked");</script>”
?>

10. Alternate XSS Syntax
• Using Script in Attributes
• <body onload=alert(Hacked ')>
• <img src="http://url.to.file.which/not.exist"
onerror=alert(document.cookie);>
• XSS using Script Via Encoded URI Schemes
• <img src=j&#X41vascript:alert(„Hacked')>

11. Commonly used to achieve the following malicious results:
• Identity theft.
• Accessing sensitive or restricted information.
• Gaining free access to otherwise paid for
content.
• Spying on user‟s web browsing habits.
• Altering browser functionality.
• Web application defacement.
• Denial of Service attacks.

12. XSS Countermeasures
• There are a huge number of XSS attack
vectors, following a few simple rules can
completely defend against this serious attack.
• The simplest form of XSS protection is to pass
all external data through a filter (in server-side).
• It is recommended to use libraries that has
been tried and tested by the community.
• XSS techniques keep changing (your filters will
need to be updated periodically).
• ESAPI (OWASP), AntiXSS (Microsoft).

13. XSS Countermeasures
• HTML Escape Before Inserting Untrusted Data
into HTML Element Content:
• ESAPI Encoder Example:
String safe = ESAPI.encoder().encodeForHTML(
request.getParameter( "input" ) );
• AntiXSS Equivalent:
string safe =
Microsoft.Security.Application.AntiXss.HtmlEncode(
Request.QueryString[ "input" ] );

14. XSS Countermeasures
• Also untrusted Data into:
• HTML Common Attributes.
• JavaScript Data Values.
• HTML Style Property Values.
• HTML URL Parameter Values.
• Also use HTTPOnly cookie flag.

15. More?
• http://ha.ckers.org/xss.html
• https://www.owasp.org/index.php/XSS_(Cross_Site
_Scripting)_Prevention_Cheat_Sheet

16. The End.