XSS Vulnerability: Causes, Prevention, and Exploitation Report

Verified

Added on 2023/05/27

AI Summary

This report provides an overview of Cross-Site Scripting (XSS) vulnerabilities, a type of injection attack where malicious scripts are injected into trusted websites. It defines XSS, detailing how attackers inject code into web applications and deliver it to victims' browsers. The report discusses the impact of XSS on websites like Facebook and Twitter and outlines prevention methods such as validation, encoding, and testing. It explores XSS exploitation techniques, including session hijacking and phishing attacks, and suggests preventative measures like using automated code scanning tools, checking third-party packages for vulnerabilities, and conducting penetration tests. References to relevant research papers are also included to support the analysis of XSS vulnerabilities and their mitigation.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: CROSS SITE SCRIPTING
CROSS SITE SCRIPTING
Name of Student
Name of University
Author’s Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1CROSS SITE SCRIPTING
Cross site scripting (XSS)
Cross site scripting can be defined as a sort of injection security attack where a
particular attacker injects information like some malicious script into the content that belongs
to a trusted website. Cross site scripting attacks take place when a specific untrusted source is
provided the opportunity to inject their own code into a particular web application, this
malicious code includes some dynamic content which is delivered to the browser of a victim
(Hydara, Sultan and Zulzalil 2015). Some websites that have been a victim of XSS
vulnerability are Facebook, Twitter, eBay, MySpace, Yahoo and some more.
Preventing XSS issues in website
XSS vulnerabilities can be prevented using numerous ways, these ways are as follows
 Validation: the web application developers must analyze the code for a smart
interpretation. The user inputs must be filtered from a malicious chain of numerous
commands. Both the persistent and reflective cross-site scripting vulnerabilities are
handled with the help of validation.
 Encoding: besides validation, escaping and filtration are some of the best practices
for avoiding XSS vulnerability. The inputs along with various special characters must
be ciphered in the respective URL or HTML codes (Yusof and Pathan 2016). The
users can also look in outbound or inbound handling as well. Encoding brings about
all its share of the limitations.
 Testing: a XSS prevention model cannot be completed without testing of its input
fields at its regular intervals. Nowadays it is necessary for manual expert intervention
for testing various web applications for their logics that is not possible for a machine.
Exploitation of XSS
XSS can be exploited for various reasons, these reasons include

2CROSS SITE SCRIPTING
 Session hijacking attack: this attack would utilize JavaScript to steal the cookies of
current users along with their session cookie. It utilizes a script tag in order to append
an image to a specific current page. When the image is loaded the victim would send
his cookies to the evil domain.
 Phishing attack: this attack uses SS, JavaScript or HTML to make the victim fall into
trap and log in. it usually overwrites the HTML of the present page in order to look
similar to the login page (Sonewar and Mhetre 2015). The credentials of the victims
are already sent to the hacker and not the website when he tried to log in.
How to prevent attackers from using this vulnerability
Attackers can be prevented from exploiting the vulnerability by using various steps, these
include
 Tools that can used for automatic source code scanning must be used while
developing applications. An efficient Web vulnerability Scanner would spot some
common technical issues.
 If third party packages such as search engines are used on the site, they should be
checked for configuration or vulnerabilities issues with various vendors (Fang, Li and
Liu 2018). This must be done by running a test on how they deal with unwanted input.
 Before putting a Web application live, a penetration test must be conducted.
Simulation of an attack, the user can evaluate if the site still consists of any XSS
vulnerability.

3CROSS SITE SCRIPTING
References
Fang, Y., Li, Y., Liu, L. and Huang, C., 2018, March. DeepXSS: Cross Site Scripting
Detection Based on Deep Learning. In Proceedings of the 2018 International Conference on
Computing and Artificial Intelligence (pp. 47-51). ACM.
Hydara, I., Sultan, A.B.M., Zulzalil, H. and Admodisastro, N., 2015. Current state of research
on cross-site scripting (XSS)–A systematic literature review. Information and Software
Technology, 58, pp.170-186.
Sonewar, P.A. and Mhetre, N.A., 2015, January. A novel approach for detection of SQL
injection and cross site scripting attacks. In Pervasive Computing (ICPC), 2015 International
Conference on (pp. 1-4). IEEE.
Yusof, I. and Pathan, A.S.K., 2016. Mitigating cross-site scripting attacks with a content
security policy. Computer, 49(3), pp.56-63.