3. Introduction:
XSS is a vulnerability which when present in websites or web applications, allows
malicious users(Hackers) to insert their client side code(normally javaScript) in those
web pages. When this malicious code along with the original webpage gets displayed
in the web client (browsers like IE, Mozilla, Chrome, etc), allows Hacker to gain
greater access of that page.
The attacker injects their own script code into a trusted website. The website’s
vulnerabilities are exposed, usually via JavaScript.
What is XSS:
XSS is one of the most common application level attacks that hackers use to
sneak into web applications today.
4. Impact of XSS attack:
Stealing other user’s cookies
Stealing their private information
Performing actions on behalf of other users
Redirecting to other websites
Showing add and pop-ups
Crash Users Browser, Pop-Up-Flodding,Redirection
6. Reflected cross site scripting:
Attacker provided script is embedded in the web page generated by the
server as imediate response of an HTTP request.
http://localhost:8081/project_library/Loggedin.jsp?LoginMsg=sundhar%20!%20welcome%
20to%20student%20library%3Cscript%3Ealert(%27xss%27)%3C/script%3E
<html>
<body>
LoginMsg <script>alert(‘xss’)</script>
</body>
</html>
7. Reflected cross site scripting:
<html>
<body>
Welcome message
name = attacker
</body>
</html>
http://localhost:8081/project_library/Loggedin.jsp?LoginMsg=su
ndhar%20!%20welcome%20to%20student%20library%3Cscript
%3Ealert(%27xss%27)%3C/script%3E%20name=attacker
8. Stored XSS attack:
Attacker provides a script is stored to a database and later retrieved embedded in the
web page generated by the server.
There is an alert accurs when the
page was redirect
12. Prevent XSS Attack by code sanitizing:
function encodeHTML(s) {
return s.replace(/&/g, '&').replace(/</g, '<').replace(/"/g, '"');
}
Create method encodeHTML : (This method will append HTML content as String)
13. Conclusion:
XSS is a serious concern that requires attention
Mitigation requires awareness by developers and users
Security of code and encapsulation of data needs to be a concern and
component of every developement project
All input data should be filtered and sanitized
Continous clearing of cookies and logging out of website is good
practice