This document discusses cross-site scripting (XSS) attacks against mobile applications. It defines XSS as a type of injection where malicious scripts are injected into trusted websites. The document describes three types of XSS attacks - reflected XSS, stored XSS, and DOM-based XSS. It provides examples of each type of attack and how attackers are able to execute scripts on a victim's machine by injecting code. The document concludes with recommendations for preventing XSS attacks, including validating all input data, encoding all output data, and setting the proper character encoding.

1. Security Concerns
Mobile Application Security

2. About
Priaum Talukder
Program: MSCSE
ID: 1612359050
Email: priaum.talukder@northsouth.edu
 https://www.linkedin.com/in/priamcse
 Course: CSE 597 / Seminar Topics
Course Teacher: Dr. Shazzad Hosain
 North South University

3. Previous Topics
 Top Issues Facing Mobile Devices
 Top Application Security Risks
 Injection
 Broken Authentication & Session Management

4. Cross Site Scripting (XSS)

5. Cross Site Scripting (XSS)
 Type of injection.
 Malicious script injected on trusted or weak web
servers.
 Attacker Uses Web Application to sent
malicious code.
 Mostly uses client side application.
 Example: HTML, JavaScript, VBScript, ActiveX,
Flash etc.

6. Cross Site Scripting (XSS)
 Cross-Site Scripting (XSS) attacks occur when:
 Data enters a Web application through an untrusted
source, most frequently a web request.
 The data is included in dynamic content that is sent
to a web user without being validated for malicious
content.

7. XSS Example
 Example of malicious code
 Modification of the Document Object Model - DOM
(change some links, add some buttons)
 Send personal information to thirds (javascript can
send cookies to other sites)

8. Cross Site Scripting (XSS)
 Attacker Executes Script on the Victim’s
machine
 Is usually Javascript
 Can be any script language supported by the
victim’s browser

9. Types of XSS
 Three types of Cross Site Scripting
 Reflected
 Stored
 DOM injection

10. Reflected XSS Attacks

11. Reflected XSS Attacks
 Reflected XSS are the most frequent type of
XSS attacks found in the wild.
 Reflected attack is like phishing attack.
 Attacker sends the malicious code via website
url.
 Reflected attacks delivered to victim via email,
website url or by other medium.
 An attacker convinces a victim to visit a URL.
 After the site reflects the attacker's content back
to the victim, the content is executed by the
victim's browser.

12. Reflected XSS Attacks
 Injected script is reflected off the web server.
 such as in an error message
 search result
 or any other response
 that includes some or all of the input sent to the
server as part of the request.

13. Reflected XSS Attacks Example
 article.php?title=<meta%20http-
equiv="refresh"%20content="0;">
 This makes a refresh request roughly about
every .3 seconds to particular page. It then acts
like an infinite loop of refresh requests,
potentially bringing down the web and database
server by flooding it with requests. The more
browser sessions that are open, the more
intense the attack becomes.

14. Stored XSS Attacks

15. Stored XSS Attacks
 Stored attacks are those where the injected
script is permanently stored on the target
servers.
 such as in a database
 in a message forum
 visitor log
 comment field
 etc.
 The victim then retrieves the malicious script
from the server when it requests the stored
information.

16. Stored XSS Attacks
 Risk when large number of users can see
unfiltered content
 Very dangerous for Content Management Systems
(CMS)
 Blogs
 Forums

17. Stored XSS Attacks
 Stored XSS Attacks of cross-site scripting
vulnerability has the largest impact of all when
compared to other XSS variants because:
 It will affect every visitor of the targeted web
application
 Unless detected and manually removed, the
malicious code will remain active on the website,
thus having a very long term effect
 Web browser’s XSS protection mechanisms do not
detect and stop persistent XSS

18. DOM Based XSS Attacks

19. DOM Based XSS Attacks
 XSS Modifies the Document Object Model
(DOM)
 Javascript can manipulate all the document
 It can create new nodes
 Remove existing nodes
 Change the content of some nodes
 JavaScript is manipulated directly inside the
client
 Using misconfiguration of client side code
 Using flows in frameworks (AngularJS, JQuery, . . .
)

20. Example DOM Based XSS
 Suppose the following code is used to create a
form to let the user choose his/her preferred
language. A default language is also provided in
the query string, as the parameter “default”.
 Code
 <select><script>
 document.write("<OPTION
value=1>"+document.location.href.substring(do
cument.location.href.indexOf("default=")+8)+"</
OPTION>");
 document.write("<OPTION
value=2>English</OPTION>");

21. Example (Cont.)
A DOM Based XSS attack against this page can
be accomplished by sending the following URL to
a victim:
 http://www.some.site/page.html?default=<script
>alert(document.cookie)</script>
 When the victim clicks on this link, the browser
sends a request for:
 /page.html?default=<script>alert(document.coo
kie)</script>
 to www.some.site. The server responds with the
page containing the above Javascript code. The
browser creates a DOM object for the page, in

22. Prevention

23. Prevention (XSS Attack)
 By validating of all incoming data or input data.
 Appropriate encoding of all output data can
prevent this attack.

24. Input Validation
 Use Standard input validation mechanism
 Validate length, type, syntax and appropriate rules
 Use the “Accept known good” validation
 Reject invalid input
 Do not forget that error messages might also
include invalid data

25. Output Validation
 Ensure that all user-supplied data is
appropriately entity encoded before rendering
 HTML or XML depending on output mechanism
 means <script> is encoded &lt;script&gt;
 Set the character encoding for each page you
output
 specify the character encoding (e.g. ISO 8859-1 or
UTF 8)
 Do not allow attacker to choose this for your users

26. Reference
 OWASP Top 10 Mobile Risks by OWASP
 https://en.wikipedia.org/wiki/Cross-site_scripting
- by wikipedia
 https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS) – by OWASP
 https://www.owasp.org/index.php/XSS_(Cross_
Site_Scripting)_Prevention_Cheat_Sheet by
OWASP
 https://www.owasp.org/index.php/Types_of_Cro
ss-Site_Scripting – Types of Cross Site
Scripting by OWASP
 http://www.acunetix.com/websitesecurity/cross-

27. Thank you!