Scribd
Upload
70 views20 pages

Cross Site Scripting

Cross-Site Scripting (XSS) attacks occur when malicious scripts are injected into trusted websites. Attackers can use XSS to steal users' cookies and login information, modify web pages, or execute commands on users' machines. XSS happens when a website fails to validate or encode untrusted user input displayed on web pages. Proper input validation and output encoding are needed to prevent XSS attacks.

Uploaded by

mamatha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
70 views20 pages

Cross Site Scripting

Cross-Site Scripting (XSS) attacks occur when malicious scripts are injected into trusted websites. Attackers can use XSS to steal users' cookies and login information, modify web pages, or execute commands on users' machines. XSS happens when a website fails to validate or encode untrusted user input displayed on web pages. Proper input validation and output encoding are needed to prevent XSS attacks.

Uploaded by

mamatha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

 Cross –Site Scripting (XSS) Attacks are a type of

Injection , In which malicious Scripts are injected into a


Trusted Web sites.
 * Scripting
 * Cross-Site
 * Attack
 Scripting:
 Web Browsers can execute commands
◦ Embedded in HTML page
◦ Supports different languages (JavaScript, VBScript, ActiveX, etc.)
◦ Most prominent : JavaScript

 “Cross-Site” means :
 Foreign script sent via server to client
◦ Attacker „makes “ Web-Server deliver malicious script code
◦ Malicious script is executed in Client’s Web Browser

 Attack:
◦ Steal Access Credentials, Denial –of –Service , Modify Web pages
◦ Execute any command at the client machine
 XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser side
script, to a different end user.

 Flaws that allow these attacks to succeed are quite widespread


and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding
it.
 Malicious JavaScript can be used to do all sorts of
malicious tasks.
 It can be used to steal users cookies, allowing for
someone to use the website pretending to be that user.
* A Web application accepts user input.
* The input is used to create dynamic content
*The input is insufficiently validated

Users:
*An Attacker, Client
*A company’s Web Server (i.e., Web application)
 In order to run malicious JavaScript code in a victim’s
browser, an attacker must first find a way to inject a payload
into a web page that the victim visits.

 Of course, an attacker could use social engineering techniques


to convince a user to visit a vulnerable page with an injected
JavaScript payload.

 In order for an XSS attack to take place the vulnerable website


needs to directly include user input in its pages. An attacker
can then insert a string that will be used within the web page
and treated as code by the victim’s browser
 XSS attack’s first target is the Client
◦ Client trusts server (Does not expect attack)
◦ Browser executes malicious script

 But second target = Company running the Server


◦ Loss of public image (Blame)
◦ Loss of customer trust
◦ Loss of money
There are certain rules for preventing XSS .They are:
RULE #0 - Never Insert Untrusted Data Except in
Allowed Locations

RULE #1 - HTML Escape Before Inserting


Untrusted Data into HTML Element Content

RULE #2 - Attribute Escape Before Inserting


Untrusted Data into HTML Common Attributes

RULE #3 –
JavaScript Escape Before Inserting Untrusted Data
into JavaScript Data Values
RULE #4 –
CSS Escape And Strictly Validate Before Inserting
Untrusted Data into HTML Style Property Values

RULE #5 –
URL Escape Before Inserting Untrusted Data into
HTML URL Parameter Values

RULE #6 –
Sanitize HTML Markup with a Library Designed for
the Job
RULE #7 –
Prevent DOM-based XSS
There are three types of XSS
They are:
* Stored XSS,
* Reflected XSS and
* DOM-based XSS.
* The most damaging type of • * Login to Webgoat and
XSS is Stored (Persistent) navigate to cross site
XSS. scripting(xss) Section. Let
us execute a Stored Cross
* Stored XSS attacks involves Site Scripting (XSS) attack.
an attacker injecting a script Below is the snapshot of the
that is permanently stored scenario.
on the target application
 In Reflected XSS, the
attacker’s payload script
has to be part of the
request which is sent to
the web server and
reflected back in such a
way that it response
includes the payload
from the HTTP request
 DOM-based XSS is an
advanced type of XSS attack  The most dangerous part of
which is made possible when DOM-based XSS is that the
the web application’s client side attack is often a client-side
scripts write user provided data attack, and the attacker’s
to the (DOM). payload is never sent to the
server.

* If the data is incorrectly


handled, an attacker can inject a
payload, which will be stored as
part of the DOM and executed
when the data is read back from
the DOM.
Access to authentication credentials for Web application
* Cookies, Username and Password
XSS is not a harmless flaw !\

* Normal users
Access to personal data (Credit card, Bank Account)

* High privileged users


Control over Web application
* Denial-of-Service
Crash Users`Browser, Pop-Up-Flodding, Redirection

* Access to Users` machine


Use ActiveX objects to control machine

* Spoil public image of company


Redirect to dialer download
Contextual output encoding/escaping of string input
Safely validating untrusted HTML input
* Cookie security
* Disabling scripts
* Emerging defensive technologies
Cross:
Site Scripting is extremly dangerous
Cause:
Missing or in-sufficient input validation
XSS:
Prevention Best Practices

You might also like