Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
2. Contents
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server side
Conclusion
References
Dept. of CSE, RNSIT 2012-13 1
XSS Issues and Defence
3. Introduction
What is XSS attack?
Why it is popular?
Inputs for XSS attacks?
Dept. of CSE, RNSIT 2012-13 2
XSS Issues and Defence
4. Impact of XSS attack
Access to authentication credentials for Web application
Cookies, Username and Password
XSS is not a harmless flaw
Normal users
Access to personal data (Credit card, Bank Account)
Misuse account (order expensive goods)
Denial-of-Service
Crash User’s Browser, Pop-Up-Flooding, Redirection Access to
user’s machine
Use ActiveX objects to control machine
Upload local data to attacker's machine
Spoil public image of company
Load main frame content from other locations
Dept. of CSE, RNSIT 2012-13 4
XSS Issues and Defence
5. Types of XSS Attacks
Dept. of CSE, RNSIT 2012-13 3
Non-persistent or Reflected Cross-Site
Scripting attacks
Persistent or Stored Cross-Site Scripting
attacks
DOM based Cross-Site Scripting attacks
XSS Issues and Defence
6. Reflected XSS Attacks
Attacker provided script is embedded in the web page generated by
the server as an immediate response of an HTTP request.
Dept. of CSE, RNSIT 2012-13 5
http://myserver.com/test.jsp?name=Stefan
<HTML>
<Body>
Welcome Stefan
</Body>
</HTML>
XSS Issues and Defence
7. Dept. of CSE, RNSIT 2012-13 6
http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script>
<HTML>
<Body>
Welcome <script>alert("Attacked")</script>
</Body>
</HTML>
XSS Issues and Defence
8. Stored XSS Attacks
Attacker provided script is stored to a database and later retrieved and
embedded in the web page generated by the server
Dept. of CSE, RNSIT 2012-13 7
XSS Issues and Defence
9. Dept. of CSE, RNSIT 2012-13 8
Unvalidated Input resulted in a Cross-Site Scripting Attack and the
theft of the Administrator’s Cookie
XSS Issues and Defence
10. Detection Of XSS
Check if special characters are encoded
<XSS> vs. <XSS>
Check if a double quote escape can be evaded
<script>alert(String.fromCharCode(88, 83, 83));<script>
Check if script can be executed
<script>alert(“XSS”)</script>
Dept. of CSE, RNSIT 2012-13 9
XSS Issues and Defence
11. Detection Of XSS Cont..
Check if input filtering can be evaded
<SCRIPT>alert("XSS");//</SCRIPT>
Denial of service
<script>alert(document.cookie);</script>article.php?title=
<meta%20httpequiv="refresh"%20content="0;">
Dept. of CSE, RNSIT 2012-13 10
XSS Issues and Defence
12. Prevention of XSS Attacks
- At Client/Browser Side
Dept. of CSE, RNSIT 2012-13 11
XSS Issues and Defence
Figure: Architecture for Cross-Site Scripting in Browser side
13. Prevention of XSS Attacks
- At Server Side
Dept. of CSE, RNSIT 2012-13 12
XSS Issues and Defence
Figure: Architecture for Cross-Site Scripting in Server side
14. Conclusion
Dept. of CSE, RNSIT 2012-13 13
XSS Issues and Defence
Always practice using testing tools during the design phase to eliminate
XSS holes in the application.
Input validation and HTML escaping are essential, yet that must be
applied at all application points accepting data.
There is a misconception sometimes applied to XSS holes in general
which leads to a disagreement in the security community as to the
importance of cross-site scripting vulnerabilities.
XSS-Prevention Best Practices
Implement XSS-Prevention in application
Do not assume input values are always good
Do not trust client side validation
Check and validate all input before processing
Do not echo any input value without validation
Use one conceptual solution in all applications
15. References
[1] Client-side cross-site scripting protection byEngin Kirdaa,*, Nenad Jovanovicb,
Christopher Kruegelc, Giovanni Vignac (a)Institute Eurecom, France (b) Secure
Systems Lab, Technical University Vienna, Austria (c) University of California, Santa
Barbara, USA
[2] A Server Side Solution for Protection of Web Applications from Cross-Site Scripting
Attacks A. Duraisamy, M.Sathiyamoorthy, S.Chandrasekar International Journal of
Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278 - 3075,
Volume-2, Issue-4, March 2013
[3] Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client
Side S.SHALINI, S.USHA Engineering College, Chennai- 44, Tamilnadu,
IndiaDepartment of Computer and Communication, Sri Sairam IJCSI International
Journal of Computer Science Issues, Vol. 8, Issue 4, No 1, July 2011 ISSN (Online):
1694-0814 www.IJCSI.org
[4] A Server Side Solution for Protection of Web Applications from Cross-Site Scripting
Attacks A. Duraisamy, M.Sathiyamoorthy, S.Chandrasekar
[5] Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side K.
Selvamani Department of Computer Science and Engineering Anna University,
Chennai, India
Dept. of CSE, RNSIT 2012-13 14
XSS Issues and Defence