Cross Site Scripting
VerifiedAdded on 2023/06/13
|10
|2020
|363
AI Summary
The paper provides a clear overview of the cross site scripting attack and its theoretical operation in the real world. It also illustrates the stages of the attack. Furthermore, the paper describes the outcomes of the real world incident of the cross site scripting attack. The article also brings to light the impact of the attack and clearly describes the consequences of the attack and identifies the security aim that was breached as a result of this attack. Finally, the paper also describes the specific actions performed by the vendor and organization so as to address the issue and provide counter measures to the specific vulnerability.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: CROSS SITE SCRIPTING
Cross Site Scripting
Name of the Student:
Name of the University:
Author note
Cross Site Scripting
Name of the Student:
Name of the University:
Author note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1CROSS SITE SCRIPTING
Table of Contents
Introduction................................................................................................................................2
Operation of the Cross Site Scripting attack..............................................................................2
CVE of the XSS attack...............................................................................................................6
Intricacies of the real world incident..........................................................................................6
Outcome of the XSS attack on eBay......................................................................................6
Impact of the XSS attack........................................................................................................6
Security breach and the resultant consequences due to XSS attack.......................................6
Actions performed by the vendor/company/organisation take to address the XSS attack....7
Conclusion..................................................................................................................................7
Reference....................................................................................................................................8
Table of Contents
Introduction................................................................................................................................2
Operation of the Cross Site Scripting attack..............................................................................2
CVE of the XSS attack...............................................................................................................6
Intricacies of the real world incident..........................................................................................6
Outcome of the XSS attack on eBay......................................................................................6
Impact of the XSS attack........................................................................................................6
Security breach and the resultant consequences due to XSS attack.......................................6
Actions performed by the vendor/company/organisation take to address the XSS attack....7
Conclusion..................................................................................................................................7
Reference....................................................................................................................................8
2CROSS SITE SCRIPTING
Introduction
Cross Site Scripting is an attack on the web applications due to the extreme popularity
of the web applications and extreme utilization of Internet (Antipa & Sanso, 2016). It refers
to the injection attack on the client side code through which the attacker can inject a
malicious code into the web application or a website. The paper provides a clear overview of
the cross site scripting attack and its theoretical operation in the real world. It also illustrates
the stages of the attack. Furthermore, the paper describes the outcomes of the real world
incident of the cross site scripting attack. The article also brings to light the impact of the
attack and clearly describes the consequences of the attack and identifies the security aim that
was breached as a result of this attack. Finally, the paper also describes the specific actions
performed by the vendor and organization so as to address the issue and provide counter
measures to the specific vulnerability.
Operation of the Cross Site Scripting attack
The Cross Site Scripting attack is a type of computer vulnerability that typically exists
in the web applications. It facilitates the attackers to inject malicious code in to the web pages
in the client side such that the web pages could be viewed by other users. The reason behind
the occurrence of the attack is the utilization of the invalid or decoded user input so as to
generate the output (Guamán et al., 2016). In this type of attack the attackers does not directly
affect or target the victim. The attacker indirectly imparts serious threats to the determined
victim through exploiting the vulnerability within the web application or a website. The
Introduction
Cross Site Scripting is an attack on the web applications due to the extreme popularity
of the web applications and extreme utilization of Internet (Antipa & Sanso, 2016). It refers
to the injection attack on the client side code through which the attacker can inject a
malicious code into the web application or a website. The paper provides a clear overview of
the cross site scripting attack and its theoretical operation in the real world. It also illustrates
the stages of the attack. Furthermore, the paper describes the outcomes of the real world
incident of the cross site scripting attack. The article also brings to light the impact of the
attack and clearly describes the consequences of the attack and identifies the security aim that
was breached as a result of this attack. Finally, the paper also describes the specific actions
performed by the vendor and organization so as to address the issue and provide counter
measures to the specific vulnerability.
Operation of the Cross Site Scripting attack
The Cross Site Scripting attack is a type of computer vulnerability that typically exists
in the web applications. It facilitates the attackers to inject malicious code in to the web pages
in the client side such that the web pages could be viewed by other users. The reason behind
the occurrence of the attack is the utilization of the invalid or decoded user input so as to
generate the output (Guamán et al., 2016). In this type of attack the attackers does not directly
affect or target the victim. The attacker indirectly imparts serious threats to the determined
victim through exploiting the vulnerability within the web application or a website. The
3CROSS SITE SCRIPTING
attacker uses the vulnerable website to transfer the malicious code to the target browser.
Figure: Stages of operation of the Cross Site Scripting attack
Source: Author
The various stages of the Cross Site Scripting (XSS) attack include the following
stages. The first stage includes the injection of the XSS vulnerabilities into the website or the
web application. There are various proprietary tools that are available online that facilitate the
injection of the vulnerabilities into the web applications (Goswami et al., 2017). The second
stage incorporates the creation of XSS payload or a malicious script so as to exploit the
vulnerability within the web application. Moreover, the advanced hackers also incorporates
the malware with advanced bypassing mechanism such as HEX encoding which makes the
malware much secured there by making it difficult to get detected and located (Gupta &
attacker uses the vulnerable website to transfer the malicious code to the target browser.
Figure: Stages of operation of the Cross Site Scripting attack
Source: Author
The various stages of the Cross Site Scripting (XSS) attack include the following
stages. The first stage includes the injection of the XSS vulnerabilities into the website or the
web application. There are various proprietary tools that are available online that facilitate the
injection of the vulnerabilities into the web applications (Goswami et al., 2017). The second
stage incorporates the creation of XSS payload or a malicious script so as to exploit the
vulnerability within the web application. Moreover, the advanced hackers also incorporates
the malware with advanced bypassing mechanism such as HEX encoding which makes the
malware much secured there by making it difficult to get detected and located (Gupta &
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4CROSS SITE SCRIPTING
Gupta, 2017). The final stage deals with the implementation of various techniques such as
different phishing techniques and social engineering concepts so as to facilitate the attackers
to trick the users to click on the malicious links. Once, the victim clicks on the malicious link
the sequence of the attack initiates.
Figure: Steps of XSS attack
Source: Author
It is practically impossible to obtain necessary information from a page or rather from
a web browser with the help of just a script contained on the page that also includes a
different host. The XSS attack makes this security breach feasible (Wang & Zhang, 2016).
The Cross Site Scripting facilitates the attackers to create a hole such as to allow the malware
Gupta, 2017). The final stage deals with the implementation of various techniques such as
different phishing techniques and social engineering concepts so as to facilitate the attackers
to trick the users to click on the malicious links. Once, the victim clicks on the malicious link
the sequence of the attack initiates.
Figure: Steps of XSS attack
Source: Author
It is practically impossible to obtain necessary information from a page or rather from
a web browser with the help of just a script contained on the page that also includes a
different host. The XSS attack makes this security breach feasible (Wang & Zhang, 2016).
The Cross Site Scripting facilitates the attackers to create a hole such as to allow the malware
5CROSS SITE SCRIPTING
to bypass the security mechanisms that are implemented by the browsers to enable the
security of the client visiting the web browser. The malicious codes are injected to bypass the
input verification and successfully inject the infectious code.
There are three types of XSS attack namely, DOM based or local XSS, Non persistent
or reflected XSS and second order or persistent XSS. The DOM based XSS works with the
browsers that are not intended to modify the URL characters and is incorporated with the
social engineering techniques (Teto, Bearden & Lo, 2017). The non persistent or the reflected
XSS occur when the input data is immediately utilized by the web server to create a result
page and the payload vector comprises of malicious uniform resource locator and links. The
persistent XSS can be implemented with or without social engineering and the payload is
stored on the server.
95%
2%
3%
Cross site Scripting Vulnerabilities
Reflected Cross site Scripting
Stored cross site Scripting
DOM based XSS
Figure: Types of XSS attack
Source: Author
to bypass the security mechanisms that are implemented by the browsers to enable the
security of the client visiting the web browser. The malicious codes are injected to bypass the
input verification and successfully inject the infectious code.
There are three types of XSS attack namely, DOM based or local XSS, Non persistent
or reflected XSS and second order or persistent XSS. The DOM based XSS works with the
browsers that are not intended to modify the URL characters and is incorporated with the
social engineering techniques (Teto, Bearden & Lo, 2017). The non persistent or the reflected
XSS occur when the input data is immediately utilized by the web server to create a result
page and the payload vector comprises of malicious uniform resource locator and links. The
persistent XSS can be implemented with or without social engineering and the payload is
stored on the server.
95%
2%
3%
Cross site Scripting Vulnerabilities
Reflected Cross site Scripting
Stored cross site Scripting
DOM based XSS
Figure: Types of XSS attack
Source: Author
6CROSS SITE SCRIPTING
CVE of the XSS attack
The Common Vulnerabilities and exposure of the cross site scripting attack includes
the injection of the malicious code into the website that can be viewable by the victims. The
untrusted data can be entered into the web application. The web application is intended to
generate a website that would include the untrusted data. Moreover, these applications do not
restrict the untrusted data from being executed. The exposure of the attack affects almost all
the companies leading to the stealing of the credentials and important personal information’s
of the users.
Intricacies of the real world incident
Outcome of the XSS attack on eBay
The chosen incident for the XSS attack is the Cross site scripting attack on eBay
Company. The main outcome of the attack was to steal the login credentials of the users and
highjack the account of the legitimate user. Moreover, this attack also allowed the attackers to
impersonate the actual user and access any sensitive information on the behalf of the victim
(Jin et al., 2014). Furthermore, it allowed the attackers to redirect the users to the phishing
page through malicious links. Once, the user would click on the link they would be directed
to the user login page of eBay and lose the essential details.
Impact of the XSS attack
The XSS attacks the websites of the company. In addition to this, the company may
face reputational damage including the loss of customer and stakeholder (Yusof & Pathan,
2016). Moreover, this attack also led to the loss of customer trust and confidence. Moreover,
the organization witnessed a great downfall leading to immense financial loss and also loss of
customers as the company faced several issues in solving the queries of the customers. The
website was also vulnerable to the phishing attacks where in the click on the links provided
CVE of the XSS attack
The Common Vulnerabilities and exposure of the cross site scripting attack includes
the injection of the malicious code into the website that can be viewable by the victims. The
untrusted data can be entered into the web application. The web application is intended to
generate a website that would include the untrusted data. Moreover, these applications do not
restrict the untrusted data from being executed. The exposure of the attack affects almost all
the companies leading to the stealing of the credentials and important personal information’s
of the users.
Intricacies of the real world incident
Outcome of the XSS attack on eBay
The chosen incident for the XSS attack is the Cross site scripting attack on eBay
Company. The main outcome of the attack was to steal the login credentials of the users and
highjack the account of the legitimate user. Moreover, this attack also allowed the attackers to
impersonate the actual user and access any sensitive information on the behalf of the victim
(Jin et al., 2014). Furthermore, it allowed the attackers to redirect the users to the phishing
page through malicious links. Once, the user would click on the link they would be directed
to the user login page of eBay and lose the essential details.
Impact of the XSS attack
The XSS attacks the websites of the company. In addition to this, the company may
face reputational damage including the loss of customer and stakeholder (Yusof & Pathan,
2016). Moreover, this attack also led to the loss of customer trust and confidence. Moreover,
the organization witnessed a great downfall leading to immense financial loss and also loss of
customers as the company faced several issues in solving the queries of the customers. The
website was also vulnerable to the phishing attacks where in the click on the links provided
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7CROSS SITE SCRIPTING
would lead to fake sites through which the user information was trapped. Moreover, it also
led to the installation of malware into the users system.
Security breach and the resultant consequences due to XSS attack
The aim of the security measures is to prevent the essential information of the users
from getting revealed to the attackers. The website of eBay stores personal information’s
such as personal files, bank account details, payment information and client information. The
consequences of the XSS attack were the loss of consumer trust and confidence in the
organization (Sulatycki & Fernandez, 2015). Moreover it also led to the interruption in the
business process and tremendous damage to the reputation of the organization.
Actions performed by the vendor/company/organisation take to address the XSS attack
The XSS attack can be prevented by three procedures such as escaping the input data
section so as to ensure that the application is secured for the user utilization (Mahmoud et al.,
2017). Secondly, the validation of the input data also ensures that the application is rendering
the correct and thereby preventing malicious data from entering into the system. Moreover,
sanitizing the user input also prevents the XSS attacks.
Conclusion
The XSS attack occurs mainly due to the usage of unvalidated and direct utilization of
the input. These attack aims at exploiting the security of the essential credentials of the
individuals. These attacks facilitate the injection of malicious code into the web page thus
leading to the exploitation of the credentials. These attacks lead to the immense loss in the
reputation of the organization and also huge financial losses. In addition to these issues, the
organizations also lose the trust and confidence of the customers to a great extent.
would lead to fake sites through which the user information was trapped. Moreover, it also
led to the installation of malware into the users system.
Security breach and the resultant consequences due to XSS attack
The aim of the security measures is to prevent the essential information of the users
from getting revealed to the attackers. The website of eBay stores personal information’s
such as personal files, bank account details, payment information and client information. The
consequences of the XSS attack were the loss of consumer trust and confidence in the
organization (Sulatycki & Fernandez, 2015). Moreover it also led to the interruption in the
business process and tremendous damage to the reputation of the organization.
Actions performed by the vendor/company/organisation take to address the XSS attack
The XSS attack can be prevented by three procedures such as escaping the input data
section so as to ensure that the application is secured for the user utilization (Mahmoud et al.,
2017). Secondly, the validation of the input data also ensures that the application is rendering
the correct and thereby preventing malicious data from entering into the system. Moreover,
sanitizing the user input also prevents the XSS attacks.
Conclusion
The XSS attack occurs mainly due to the usage of unvalidated and direct utilization of
the input. These attack aims at exploiting the security of the essential credentials of the
individuals. These attacks facilitate the injection of malicious code into the web page thus
leading to the exploitation of the credentials. These attacks lead to the immense loss in the
reputation of the organization and also huge financial losses. In addition to these issues, the
organizations also lose the trust and confidence of the customers to a great extent.
8CROSS SITE SCRIPTING
Reference
Antipa, D., & Sanso, A. (2016). U.S. Patent Application No. 14/541,785.
Goswami, S., Hoque, N., Bhattacharyya, D. K., & Kalita, J. (2017). An Unsupervised Method
for Detection of XSS Attack. IJ Network Security, 19(5), 761-775.
Guamán, D., Guamán, F., Jaramillo, D., & Correa, R. (2016). Implementation of Techniques,
Standards and Safety Recommendations to Prevent XSS and SQL Injection Attacks in
Java EE RESTful Applications. In New Advances in Information Systems and
Technologies (pp. 691-706). Springer, Cham.
Gupta, S., & Gupta, B. B. (2017). Cross-Site Scripting (XSS) attacks and defense
mechanisms: classification and state-of-the-art. International Journal of System
Assurance Engineering and Management, 8(1), 512-530.
Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. N. (2014, November). Code injection
attacks on html5-based mobile apps: Characterization, detection and mitigation.
In Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security (pp. 66-77). ACM.
Mahmoud, S. K., Alfonse, M., Roushdy, M. I., & Salem, A. B. M. (2017, December). A
comparative analysis of Cross Site Scripting (XSS) detecting and defensive
techniques. In Intelligent Computing and Information Systems (ICICIS), 2017 Eighth
International Conference on (pp. 36-42). IEEE.
Sulatycki, R., & Fernandez, E. B. (2015, October). A threat pattern for the cross-site scripting
(XSS) attack. In Proceedings of the 22nd Conference on Pattern Languages of
Programs (p. 16). The Hillside Group.
Reference
Antipa, D., & Sanso, A. (2016). U.S. Patent Application No. 14/541,785.
Goswami, S., Hoque, N., Bhattacharyya, D. K., & Kalita, J. (2017). An Unsupervised Method
for Detection of XSS Attack. IJ Network Security, 19(5), 761-775.
Guamán, D., Guamán, F., Jaramillo, D., & Correa, R. (2016). Implementation of Techniques,
Standards and Safety Recommendations to Prevent XSS and SQL Injection Attacks in
Java EE RESTful Applications. In New Advances in Information Systems and
Technologies (pp. 691-706). Springer, Cham.
Gupta, S., & Gupta, B. B. (2017). Cross-Site Scripting (XSS) attacks and defense
mechanisms: classification and state-of-the-art. International Journal of System
Assurance Engineering and Management, 8(1), 512-530.
Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. N. (2014, November). Code injection
attacks on html5-based mobile apps: Characterization, detection and mitigation.
In Proceedings of the 2014 ACM SIGSAC Conference on Computer and
Communications Security (pp. 66-77). ACM.
Mahmoud, S. K., Alfonse, M., Roushdy, M. I., & Salem, A. B. M. (2017, December). A
comparative analysis of Cross Site Scripting (XSS) detecting and defensive
techniques. In Intelligent Computing and Information Systems (ICICIS), 2017 Eighth
International Conference on (pp. 36-42). IEEE.
Sulatycki, R., & Fernandez, E. B. (2015, October). A threat pattern for the cross-site scripting
(XSS) attack. In Proceedings of the 22nd Conference on Pattern Languages of
Programs (p. 16). The Hillside Group.
9CROSS SITE SCRIPTING
Teto, J. K., Bearden, R., & Lo, D. C. T. (2017, April). The Impact of Defensive Programming
on I/O Cybersecurity Attacks. In Proceedings of the SouthEast Conference (pp. 102-
111). ACM.
Wang, X., & Zhang, W. (2016). Cross-site scripting attacks procedure and Prevention
Strategies. In MATEC Web of Conferences (Vol. 61, p. 03001). EDP Sciences.
Yusof, I., & Pathan, A. S. K. (2016). Mitigating cross-site scripting attacks with a content
security policy. Computer, 49(3), 56-63.
Teto, J. K., Bearden, R., & Lo, D. C. T. (2017, April). The Impact of Defensive Programming
on I/O Cybersecurity Attacks. In Proceedings of the SouthEast Conference (pp. 102-
111). ACM.
Wang, X., & Zhang, W. (2016). Cross-site scripting attacks procedure and Prevention
Strategies. In MATEC Web of Conferences (Vol. 61, p. 03001). EDP Sciences.
Yusof, I., & Pathan, A. S. K. (2016). Mitigating cross-site scripting attacks with a content
security policy. Computer, 49(3), 56-63.
1 out of 10
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.