Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Similar to Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar (20)
Recently uploaded
Recently uploaded (20)
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
- 1. Cross-Site Scripting (XSS) Attacks Issues and Defense by Sandeep Kumbhar M. Tech CSE, R N S I T Bangalore
- 2. Contents Introduction Impact of XSS attacks Types of XSS attacks Detection of XSS attacks Prevention of XSS attacks At client side At Server side Conclusion References Dept. of CSE, RNSIT 2012-13 1 XSS Issues and Defence
- 3. Introduction What is XSS attack? Why it is popular? Inputs for XSS attacks? Dept. of CSE, RNSIT 2012-13 2 XSS Issues and Defence
- 4. Impact of XSS attack Access to authentication credentials for Web application Cookies, Username and Password XSS is not a harmless flaw Normal users Access to personal data (Credit card, Bank Account) Misuse account (order expensive goods) Denial-of-Service Crash User’s Browser, Pop-Up-Flooding, Redirection Access to user’s machine Use ActiveX objects to control machine Upload local data to attacker's machine Spoil public image of company Load main frame content from other locations Dept. of CSE, RNSIT 2012-13 4 XSS Issues and Defence
- 5. Types of XSS Attacks Dept. of CSE, RNSIT 2012-13 3 Non-persistent or Reflected Cross-Site Scripting attacks Persistent or Stored Cross-Site Scripting attacks DOM based Cross-Site Scripting attacks XSS Issues and Defence
- 6. Reflected XSS Attacks Attacker provided script is embedded in the web page generated by the server as an immediate response of an HTTP request. Dept. of CSE, RNSIT 2012-13 5 http://myserver.com/test.jsp?name=Stefan <HTML> <Body> Welcome Stefan </Body> </HTML> XSS Issues and Defence
- 7. Dept. of CSE, RNSIT 2012-13 6 http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script> <HTML> <Body> Welcome <script>alert("Attacked")</script> </Body> </HTML> XSS Issues and Defence
- 8. Stored XSS Attacks Attacker provided script is stored to a database and later retrieved and embedded in the web page generated by the server Dept. of CSE, RNSIT 2012-13 7 XSS Issues and Defence
- 9. Dept. of CSE, RNSIT 2012-13 8 Unvalidated Input resulted in a Cross-Site Scripting Attack and the theft of the Administrator’s Cookie XSS Issues and Defence
- 10. Detection Of XSS Check if special characters are encoded <XSS> vs. <XSS> Check if a double quote escape can be evaded <script>alert(String.fromCharCode(88, 83, 83));<script> Check if script can be executed <script>alert(“XSS”)</script> Dept. of CSE, RNSIT 2012-13 9 XSS Issues and Defence
- 11. Detection Of XSS Cont.. Check if input filtering can be evaded <SCRIPT>alert("XSS");//</SCRIPT> Denial of service <script>alert(document.cookie);</script>article.php?title= <meta%20httpequiv="refresh"%20content="0;"> Dept. of CSE, RNSIT 2012-13 10 XSS Issues and Defence
- 12. Prevention of XSS Attacks - At Client/Browser Side Dept. of CSE, RNSIT 2012-13 11 XSS Issues and Defence Figure: Architecture for Cross-Site Scripting in Browser side
- 13. Prevention of XSS Attacks - At Server Side Dept. of CSE, RNSIT 2012-13 12 XSS Issues and Defence Figure: Architecture for Cross-Site Scripting in Server side
- 14. Conclusion Dept. of CSE, RNSIT 2012-13 13 XSS Issues and Defence Always practice using testing tools during the design phase to eliminate XSS holes in the application. Input validation and HTML escaping are essential, yet that must be applied at all application points accepting data. There is a misconception sometimes applied to XSS holes in general which leads to a disagreement in the security community as to the importance of cross-site scripting vulnerabilities. XSS-Prevention Best Practices Implement XSS-Prevention in application Do not assume input values are always good Do not trust client side validation Check and validate all input before processing Do not echo any input value without validation Use one conceptual solution in all applications
- 15. References [1] Client-side cross-site scripting protection byEngin Kirdaa,*, Nenad Jovanovicb, Christopher Kruegelc, Giovanni Vignac (a)Institute Eurecom, France (b) Secure Systems Lab, Technical University Vienna, Austria (c) University of California, Santa Barbara, USA [2] A Server Side Solution for Protection of Web Applications from Cross-Site Scripting Attacks A. Duraisamy, M.Sathiyamoorthy, S.Chandrasekar International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278 - 3075, Volume-2, Issue-4, March 2013 [3] Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI, S.USHA Engineering College, Chennai- 44, Tamilnadu, IndiaDepartment of Computer and Communication, Sri Sairam IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 4, No 1, July 2011 ISSN (Online): 1694-0814 www.IJCSI.org [4] A Server Side Solution for Protection of Web Applications from Cross-Site Scripting Attacks A. Duraisamy, M.Sathiyamoorthy, S.Chandrasekar [5] Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side K. Selvamani Department of Computer Science and Engineering Anna University, Chennai, India Dept. of CSE, RNSIT 2012-13 14 XSS Issues and Defence
- 16. Thank You.!