Cross Site Scripting
1/12
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Next
Restart
Back
Cross-Site Scripting (XSS)
is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
Close
2/12
Cross Site Scripting
Like the changing storyline of Little Red Riding Hood, code injection attacks change the storyline of existing programs or code. One such code injection attack is cross-site scripting (XSS).
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web sites or web applications. XSS enables attackers to inject malicious scripts into legitimate web sites viewed by other users in their browsers. When the page loads in the victim’s browser, the attacker’s malicious script will execute, most often without the user realizing or being able to prevent such an attack. The intent of these attacks is to steal information from, delete information from, compromise, or pwn the users computer.
pwn
is a hacker slang term derived from the verb own, meaning to appropriate or to conquer.
Browsers
a program with a graphical user interface for displaying HTML files, used to navigate the World Wide Web.
Web Applications
is a computer program which the client runs in a web browser. Common web applications include webmail, wikis, instant messaging services and many other
3/12
In order to run malicious code in a victim's browser, an attacker must first find a way to inject a payload into a web page that the victim visits. While XSS can be taken advantage of within VBScript, ActiveX, Flash, and JavaScript.
4/12
1
0
1
0
1
0
0
0
1
1
0
0
1
1
0
1
1
0
1
0
0
1
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.
5/12
But you can prevent your website from being vulnerable from the storyline changing via XSS by escaping user inputs on your website. If your page doesn’t allow users to add their own code to the page, a good rule of thumb is to then escape any and all HTML, URL, and JavaScript entities. However, if your web page does allow users to add text, such as on forums or post comments, you have a few choices. You’ll either need to carefully choose which HTML entities you will escape and which you won’t, or by using a replacement format for raw HTML such as Markdown, which will in turn allow you to continue escaping all HTML.
^
10/12
Escaping User Inputs
performs data validation by only allow the user to input data of your expected type, otherwise it is discarded.
$
\
[
$value = $_POST['value’];
$value = db_fetch(‘SELECT value FROM table’);
$value =$rssFeed->first->title;
42
11/12
MostAwesomestUserNameEver
Validating Input
is the testing of any input supplied by a user to prevent improperly formed data from entering an information system.
A second method to prevent your website from being vulnerable from the storyline changing via XSS is by validating input. Validating input is the process of ensuring a web application or website is rendering the correct data and preventing malicious data from doing harm to the site, database, and users.
Malicious JavaScript has access to all the same objects the rest of the web page has, including access to cookies. Cookies are often used to store session tokens, if an attacker can obtain a user’s session cookie, they can impersonate that user.
6/12
&&
JavaScript can read and make modifications to the browser’s interface that allows programs dynamically access and update the content, structure, and style of a document.
7/12
submit
JavaScript can send HTTP requests with user content to destinations directed by the malicious code.
8/12
JavaScript in modern browsers can leverage accessing a user’s geolocation, webcam, microphone and even the specific files from the user’s file system. While most of these require users to opt-in, XSS in conjunction with some clever social engineering can bring an attacker a long way.
9/12
password
username
!
Username Must be 10 characters or less
Password Must be in the 5 to 120 range
2 Errors
Robert
Welcome Robert!
Sanitizing User Input
changing or escaping special characters maliciously inputted by a user to prevent improperly formed data from entering an information system.
And a final method to prevent your website from being vulnerable from the storyline changing via XSS is by sanitizing user input. Sanitizing user input is the process of checking user input before storing it in a database or using it for any other purpose to prevent malicious code injection.
’
12/12
Robert’