Cross Site Scripting

Cross-Site Scripting (XSS) attacks occur when malicious scripts are injected into trusted websites. Attackers can use XSS to steal users' cookies and login information, modify web pages, or execute commands on users' machines. XSS happens when a website fails to validate or encode untrusted user input displayed on web pages. Proper input validation and output encoding are needed to prevent XSS attacks.

Uploaded by

mamatha

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

81 views20 pages

Cross Site Scripting

Uploaded by

mamatha

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 20

 Cross –Site Scripting (XSS) Attacks are a type of

Injection , In which malicious Scripts are injected into a

Trusted Web sites.
 * Scripting
 * Cross-Site
 * Attack
 Scripting:
 Web Browsers can execute commands
◦ Embedded in HTML page
◦ Supports different languages (JavaScript, VBScript, ActiveX, etc.)
◦ Most prominent : JavaScript

 “Cross-Site” means :
 Foreign script sent via server to client
◦ Attacker „makes “ Web-Server deliver malicious script code
◦ Malicious script is executed in Client’s Web Browser

 Attack:
◦ Steal Access Credentials, Denial –of –Service , Modify Web pages
◦ Execute any command at the client machine
 XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser side
script, to a different end user.

 Flaws that allow these attacks to succeed are quite widespread

and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding
it.
 Malicious JavaScript can be used to do all sorts of
malicious tasks.
 It can be used to steal users cookies, allowing for
someone to use the website pretending to be that user.
* A Web application accepts user input.
* The input is used to create dynamic content
*The input is insufficiently validated

Users:
*An Attacker, Client
*A company’s Web Server (i.e., Web application)
 In order to run malicious JavaScript code in a victim’s
browser, an attacker must first find a way to inject a payload
into a web page that the victim visits.

 Of course, an attacker could use social engineering techniques

to convince a user to visit a vulnerable page with an injected
JavaScript payload.

 In order for an XSS attack to take place the vulnerable website

needs to directly include user input in its pages. An attacker
can then insert a string that will be used within the web page
and treated as code by the victim’s browser
 XSS attack’s first target is the Client
◦ Client trusts server (Does not expect attack)
◦ Browser executes malicious script

 But second target = Company running the Server

◦ Loss of public image (Blame)
◦ Loss of customer trust
◦ Loss of money
There are certain rules for preventing XSS .They are:
RULE #0 - Never Insert Untrusted Data Except in
Allowed Locations

RULE #1 - HTML Escape Before Inserting

Untrusted Data into HTML Element Content

RULE #2 - Attribute Escape Before Inserting

Untrusted Data into HTML Common Attributes

RULE #3 –
JavaScript Escape Before Inserting Untrusted Data
into JavaScript Data Values
RULE #4 –
CSS Escape And Strictly Validate Before Inserting
Untrusted Data into HTML Style Property Values

RULE #5 –
URL Escape Before Inserting Untrusted Data into
HTML URL Parameter Values

RULE #6 –
Sanitize HTML Markup with a Library Designed for
the Job
RULE #7 –
Prevent DOM-based XSS
There are three types of XSS
They are:
* Stored XSS,
* Reflected XSS and
* DOM-based XSS.
* The most damaging type of • * Login to Webgoat and
XSS is Stored (Persistent) navigate to cross site
XSS. scripting(xss) Section. Let
us execute a Stored Cross
* Stored XSS attacks involves Site Scripting (XSS) attack.
an attacker injecting a script Below is the snapshot of the
that is permanently stored scenario.
on the target application
 In Reflected XSS, the
attacker’s payload script
has to be part of the
request which is sent to
the web server and
reflected back in such a
way that it response
includes the payload
from the HTTP request
 DOM-based XSS is an
advanced type of XSS attack  The most dangerous part of
which is made possible when DOM-based XSS is that the
the web application’s client side attack is often a client-side
scripts write user provided data attack, and the attacker’s
to the (DOM). payload is never sent to the
server.


* If the data is incorrectly

handled, an attacker can inject a
payload, which will be stored as
part of the DOM and executed
when the data is read back from
the DOM.
Access to authentication credentials for Web application
* Cookies, Username and Password
XSS is not a harmless flaw !\

* Normal users
Access to personal data (Credit card, Bank Account)

* High privileged users

Control over Web application
* Denial-of-Service
Crash Users`Browser, Pop-Up-Flodding, Redirection

* Access to Users` machine

Use ActiveX objects to control machine

* Spoil public image of company

Redirect to dialer download
Contextual output encoding/escaping of string input
Safely validating untrusted HTML input
* Cookie security
* Disabling scripts
* Emerging defensive technologies
Cross:
Site Scripting is extremly dangerous
Cause:
Missing or in-sufficient input validation
XSS:
Prevention Best Practices

CB3591 ESSS Manual
No ratings yet
CB3591 ESSS Manual
30 pages
Bug Bounty Course
No ratings yet
Bug Bounty Course
28 pages
200 IT Security Job Interview Questions-1
100% (2)
200 IT Security Job Interview Questions-1
188 pages
INE Web Application Penetration Testing XSS Attacks Course File - Unlocked
No ratings yet
INE Web Application Penetration Testing XSS Attacks Course File - Unlocked
47 pages
Major Project Report-9
No ratings yet
Major Project Report-9
59 pages
Cross Site Scripting XSS CSS: Also Known As or
No ratings yet
Cross Site Scripting XSS CSS: Also Known As or
219 pages
CH 04 Clickjacking
No ratings yet
CH 04 Clickjacking
18 pages
XSS Attack and Session Hijacking 2025
No ratings yet
XSS Attack and Session Hijacking 2025
73 pages
Detection of DOM-Based XSS Attack On Web Application
No ratings yet
Detection of DOM-Based XSS Attack On Web Application
9 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
15 pages
Practice Questions For OWASP
100% (1)
Practice Questions For OWASP
4 pages
Lect24.1&25 - XSS and Its Demonstration Using DVWA
No ratings yet
Lect24.1&25 - XSS and Its Demonstration Using DVWA
44 pages
Broken Web Security
No ratings yet
Broken Web Security
87 pages
Chapter 1 Cyber Security
No ratings yet
Chapter 1 Cyber Security
5 pages
Cross Site Scripting (XSS) : Description
No ratings yet
Cross Site Scripting (XSS) : Description
2 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
15 pages
PenTest XSS
No ratings yet
PenTest XSS
53 pages
Experiment 7
No ratings yet
Experiment 7
9 pages
WE - Cross Site Scripting
No ratings yet
WE - Cross Site Scripting
5 pages
(CyberSec'24) Lab05 - Student Version
No ratings yet
(CyberSec'24) Lab05 - Student Version
29 pages
Cybersecurity 11 Feb (Part 1)
No ratings yet
Cybersecurity 11 Feb (Part 1)
25 pages
Cross Site Scripting Presentation Slides
No ratings yet
Cross Site Scripting Presentation Slides
23 pages
Lec07 XSS Clickjacking 1.5m
No ratings yet
Lec07 XSS Clickjacking 1.5m
53 pages
Lecture 19 IS BSE 7A SMI Fall 2024
No ratings yet
Lecture 19 IS BSE 7A SMI Fall 2024
35 pages
Serie 11
No ratings yet
Serie 11
3 pages
Week13 Essay2-Vxd240002
No ratings yet
Week13 Essay2-Vxd240002
2 pages
XSS Attack and How To Mitigate It
No ratings yet
XSS Attack and How To Mitigate It
8 pages
Cross Site Scripting and HTML Injection 1739193556
No ratings yet
Cross Site Scripting and HTML Injection 1739193556
17 pages
Complete Network Security Interview QA
No ratings yet
Complete Network Security Interview QA
3 pages
SQL Injection and XSS-2
No ratings yet
SQL Injection and XSS-2
20 pages
Chapter 7
No ratings yet
Chapter 7
13 pages
Securing Web Applications Against Cross-Site Scripting (XSS) Vulnerabilities
No ratings yet
Securing Web Applications Against Cross-Site Scripting (XSS) Vulnerabilities
8 pages
NA
No ratings yet
NA
2 pages
Penetration Testing With Kali Linux OSCP Offensive Security Instant Download
100% (6)
Penetration Testing With Kali Linux OSCP Offensive Security Instant Download
56 pages
XSS Vulnerabilities
No ratings yet
XSS Vulnerabilities
6 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
17 pages
Cross-Site Scripting (XSS) : The End User's Browser Has No Way To Know That The Script Should
No ratings yet
Cross-Site Scripting (XSS) : The End User's Browser Has No Way To Know That The Script Should
13 pages
Cross-Site Scripting (XSS) : Offense
No ratings yet
Cross-Site Scripting (XSS) : Offense
24 pages
Cross Site Scripting (XSS)
No ratings yet
Cross Site Scripting (XSS)
32 pages
What Is Cross
No ratings yet
What Is Cross
3 pages
Esss Record H
No ratings yet
Esss Record H
30 pages
Prevention of Cross-Site Scripting Attacks XSS On
No ratings yet
Prevention of Cross-Site Scripting Attacks XSS On
5 pages
JavaScript Mastery
No ratings yet
JavaScript Mastery
80 pages
CH 006
No ratings yet
CH 006
32 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
8 pages
Task 2 Report Xss
No ratings yet
Task 2 Report Xss
16 pages
XSS Vulnerabilities Explained
0% (1)
XSS Vulnerabilities Explained
31 pages
Vulnerability Management Guideline v1.0.0 PUBLISHED
No ratings yet
Vulnerability Management Guideline v1.0.0 PUBLISHED
11 pages
Cyber Project Report
No ratings yet
Cyber Project Report
7 pages
Lecture 15 WebSecurity
No ratings yet
Lecture 15 WebSecurity
10 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
6 pages
Browser Security, Part 1
No ratings yet
Browser Security, Part 1
25 pages
Cross Site Scripting XSS
No ratings yet
Cross Site Scripting XSS
31 pages
Cross Site Scripting Cheat Sheet
No ratings yet
Cross Site Scripting Cheat Sheet
3 pages
Cross-Site Scripting (XSS)
No ratings yet
Cross-Site Scripting (XSS)
7 pages
2022 Gartner MQ For Application Security Testing
No ratings yet
2022 Gartner MQ For Application Security Testing
29 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
20 pages
Cross Site Scripting
No ratings yet
Cross Site Scripting
3 pages
WP Cross Site Scripting
No ratings yet
WP Cross Site Scripting
12 pages
WMS Exp2
No ratings yet
WMS Exp2
6 pages
E Commerce
No ratings yet
E Commerce
16 pages
Cross Site Scripting (XSS)
No ratings yet
Cross Site Scripting (XSS)
11 pages
Cross Site Scripting: Name/Mohammed Aburas ID/382015800
No ratings yet
Cross Site Scripting: Name/Mohammed Aburas ID/382015800
17 pages
Xss Research
No ratings yet
Xss Research
2 pages
Cyber Security Frameworks
100% (2)
Cyber Security Frameworks
107 pages
Cross-Site Scripting: Analysis, Identification and Exploitation
No ratings yet
Cross-Site Scripting: Analysis, Identification and Exploitation
28 pages
Xss Documentation
No ratings yet
Xss Documentation
6 pages
What Is Cross-Site Scripting (XSS) ?
No ratings yet
What Is Cross-Site Scripting (XSS) ?
4 pages
N Slab Final
No ratings yet
N Slab Final
15 pages
Web Security Testing Guide
No ratings yet
Web Security Testing Guide
17 pages
A Study On Removal Techniques of Cross-Site From Web Application
No ratings yet
A Study On Removal Techniques of Cross-Site From Web Application
7 pages
Beginner's Guide to XSS Security
No ratings yet
Beginner's Guide to XSS Security
8 pages
Web Pentest 6 Months
No ratings yet
Web Pentest 6 Months
5 pages
Understanding XSS for Web Developers
No ratings yet
Understanding XSS for Web Developers
4 pages
Fortigate 80c
No ratings yet
Fortigate 80c
338 pages
CS0-002 PrepAway
100% (1)
CS0-002 PrepAway
88 pages
XSS Vulnerability Testing Guide
No ratings yet
XSS Vulnerability Testing Guide
8 pages
OWASP Top Ten - Comparison of 2003,2004,2007,2010,2013 and 2017 Releases
No ratings yet
OWASP Top Ten - Comparison of 2003,2004,2007,2010,2013 and 2017 Releases
2 pages
I18n Whitepaper
No ratings yet
I18n Whitepaper
16 pages
M05 - Managing Network Security
No ratings yet
M05 - Managing Network Security
32 pages
Cross Script Xss
No ratings yet
Cross Script Xss
3 pages
AWS Manual
No ratings yet
AWS Manual
53 pages
PentestTools WebsiteScanner Report
No ratings yet
PentestTools WebsiteScanner Report
7 pages
Assignment 2 - Project Implementation Report
No ratings yet
Assignment 2 - Project Implementation Report
51 pages
PCI DSS Compliance for AWS Users
No ratings yet
PCI DSS Compliance for AWS Users
117 pages
© 2018 Caendra, Inc. - Hera For PTP - From XSS To Domain Admin
No ratings yet
© 2018 Caendra, Inc. - Hera For PTP - From XSS To Domain Admin
29 pages
Mobile App Security Report: TeamViewer
No ratings yet
Mobile App Security Report: TeamViewer
13 pages
Wallarm Q3-2023 API ThreatStats Report v1.1
No ratings yet
Wallarm Q3-2023 API ThreatStats Report v1.1
16 pages
0x4 ACS Dev+Sec 2.0 Internship Timetable
No ratings yet
0x4 ACS Dev+Sec 2.0 Internship Timetable
3 pages