Cross-Site Scripting (XSS) is a prevalent web vulnerability that allows attackers to inject malicious scripts into trusted websites, compromising user information and access. There are three primary types of XSS attacks: reflected, stored, and DOM-based, each with specific methods of execution and impact. Prevention strategies include code sanitization, continuous monitoring, and user awareness to mitigate the risks associated with XSS vulnerabilities.

1. Cross site scripting (xss)
by chanakya
Attacks
Issues and Defense

2. Contents:
 Introduction
 Impact of XSS attack
 Types of XSS attack
 Prevention of XSS attacks
 Conclution
 Reference

3. Introduction:
 XSS is a vulnerability which when present in websites or web applications, allows
malicious users(Hackers) to insert their client side code(normally javaScript) in those
web pages. When this malicious code along with the original webpage gets displayed
in the web client (browsers like IE, Mozilla, Chrome, etc), allows Hacker to gain
greater access of that page.
 The attacker injects their own script code into a trusted website. The website’s
vulnerabilities are exposed, usually via JavaScript.
What is XSS:
 XSS is one of the most common application level attacks that hackers use to
sneak into web applications today.

4. Impact of XSS attack:
 Stealing other user’s cookies
 Stealing their private information
 Performing actions on behalf of other users
 Redirecting to other websites
 Showing add and pop-ups
 Crash Users Browser, Pop-Up-Flodding,Redirection

5. Types of XSS:
1) Reflected XSS
2) Stored XSS
3) DOM based XSS

6. Reflected cross site scripting:
 Attacker provided script is embedded in the web page generated by the
server as imediate response of an HTTP request.
http://localhost:8081/project_library/Loggedin.jsp?LoginMsg=sundhar%20!%20welcome%
20to%20student%20library%3Cscript%3Ealert(%27xss%27)%3C/script%3E
<html>
<body>
LoginMsg <script>alert(‘xss’)</script>
</body>
</html>

7. Reflected cross site scripting:
<html>
<body>
Welcome message
name = attacker
</body>
</html>
http://localhost:8081/project_library/Loggedin.jsp?LoginMsg=su
ndhar%20!%20welcome%20to%20student%20library%3Cscript
%3Ealert(%27xss%27)%3C/script%3E%20name=attacker

8. Stored XSS attack:
 Attacker provides a script is stored to a database and later retrieved embedded in the
web page generated by the server.
There is an alert accurs when the
page was redirect

9. Stored XSS – Step 1

10. Stored XSS-Step 2

11. Stored XSS attack:
Stored img through img tag in DB

12. Prevent XSS Attack by code sanitizing:
function encodeHTML(s) {
return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}
Create method encodeHTML : (This method will append HTML content as String)

13. Conclusion:
 XSS is a serious concern that requires attention
 Mitigation requires awareness by developers and users
 Security of code and encapsulation of data needs to be a concern and
component of every developement project
 All input data should be filtered and sanitized
 Continous clearing of cookies and logging out of website is good
practice