This document provides an introduction and overview of cross-site scripting (XSS) attacks. It discusses the impact of XSS, the different types (non-persistent, persistent, DOM-based), how XSS works by injecting client-side code through web requests, and includes demos. The document concludes with recommendations for preventing XSS, including validating and encoding input and output to avoid injecting malicious scripts.

2. #ABOUT ME
• Shubham Gupta (@hackerspider1)
• IT – Security Analyst at Broctagon Solutions.
• Bug Bounty Hunter.
• Capture The Flag (CTF) player.
• Acknowledged by more then 200 Organization.
2

3. TODAYS TALK
• Introduction
• Impact
• Types of XSS
• How XSS works
• Demo
• XSS Prevention
• Q&A?
3

4. INTRODUCTION TO XSS
•XSS is a code injection attack allowing the injection of
malicious code into a website
•Currently one of the most common attack
•Every website needs to turn on Javascript
•Caused by insufficient input validation
•JavaScript, VBScript, ActiveX, HTML, or Flash
4

5. IMPACT
• Stealing other user’s cookies
• Stealing their private information
• Performing actions on behalf of other users
• Redirecting to other websites
• Showing ads in hidden iframes and pop-ups
5

6. TYPES OF XSS
• Non-persistent XSS
• Persistent XSS
• Dom based XSS
6

7. NON-PERSISTENT XSS
• Non-persistent XSS or Reflected XSS
• Query in HTTP parameters or HTML form
• Affects XSS without properly sanitizing the request
7

8. PERSISTENT XSS
• Persistent XSS or Stored XSS
• Occurs when data is saved on server side
• Classic example: message board
8

9. DOM BASED XSS
•DOM (Document Object Model)
•Cross-site scripting vulnerability
•Appears in the DOM instead of part of the
HTML
•The payload cannot be found in the response
•Observed on runtime or by investigating the
DOM of the page
9
Example
…
var pos =
document.URL.indexOf("name=")+5
;
document.write(document.URL.sub
string(pos,document.URL.length));

10. HOW XSS WORKS?
• Web server gets data from web client
(POST, GET, COOKIES etc.) with the
request
• Malicious user can include client sidecode
snippets (javascript) into the data
10
Example :
Shubham<script>alert(“hacked”)</
script>

11. 11
Server
Hacker’s Browser
http request with
XSS JavaScript
http response with
XSS JavaScript

12. XSS OUTPUT
12

13. DEMO
13

14. REFLECTED XSS
14

15. 15

16. STORED XSS
16

17. 17

18. DOM BASED XSS
18

19. PREVENTIONS
•MORE THAN 70% OF WEB SECURITY ISSUES CAUSED BY XSS
•NEVER TRUST USER/CLIENT INPUT!
• CLIENT-SIDE CHECKS/CONTROLS HAVE TO BE INVOKED ON THE SERVER
TOO.
•IMPROPER INPUT VALIDATION
•IMPROPER OUTPUT VALIDATION
19

20. 20
•VALIDATE INPUT
•LETTERS IN A NUMBER FIELD?
•10 DIGITS FOR 4 DIGIT YEAR FIELD?
•OFTEN ONLY NEED ALPHANUMERIC
•CAREFUL WITH < > " ' AND =
•WHITELIST (E.G. /[A-ZA-Z0-9]{0,20}/)
•REJECT, DON’T TRY AND SANITIZE

21. 21
• VALIDATE OUTPUT
•ENCODE HTML OUTPUT
• IF DATA CAME FROM USER INPUT, A DATABASE, OR A FILE
• RESPONSE.WRITE(HTTPUTILITY.HTMLENCODE(REQUEST.FORM["NAME
"]));
• NOT 100% EFFECTIVE BUT PREVENTS MOST VULNERABILITIES
•ENCODE URL OUTPUT
• IF RETURNING URL STRINGS
• RESPONSE.WRITE(HTTPUTILITY.URLENCODE(URLSTRING));

22. THANKS
22

23. Q&A?
23