Report on XSS Input Problems and Countermeasures in Software Security

Verified

Added on 2021/04/17

AI Summary

This report focuses on Cross-Site Scripting (XSS) vulnerabilities, a common threat to web applications. It explores how malicious input leads to XSS attacks, including storage, DOM-based, and reflected XSS. The report details the impact of XSS on software security, such as account hijacking and data breaches. It then outlines a set of countermeasures to prevent XSS attacks, including input validation, escaping user input, and sanitization of user input. The report emphasizes the importance of these measures in safeguarding user data and maintaining the integrity of web applications, referencing research papers to support the discussed concepts.

Input Problems for Cross Site Scripting (XSS)
Software Security
3/5/2018

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Software Security
Table of Contents
Introduction...........................................................................................................................................2
Input Problems for XSS.........................................................................................................................2
Impact in Software Security..................................................................................................................2
Set of Countermeasures.........................................................................................................................3
References.............................................................................................................................................4
1

Software Security
Introduction
Cross Site Scripting, commonly abbreviated as XSS, is one of the most common
vulnerabilities that have impacted numerous web applications. XSS allows injection of
content in the website and modification of the display of the contents by an attacker. This in
turn forces the browser being used by the victim to execute the malicious code (Gupta &
Sharma, 2012).
Input Problems for XSS
The primary reason behind the occurrence of XSS attacks is the malicious input. The absence
of input validation provides the attackers with the ability to easily give shape to the attacks.
The most frequent and damaging form of XSS is storage or persistent XSS. In this case, the
input is in the form of a script which is referred as payload and is injected on the target
application. For instance, the attacker may utilize the malicious input and launch it on a blog
or forum in the form of a comment. The script will be executed once the user accesses the
page. Document Object Model (DOM) based XSS is also commonly executed in which the
DOM environment is modified so that the payload may behave in a malevolent manner. For
instance, if <div> element is used to write input, the use of innerHtml may enhance the
likelihood of the attack (Shrivastava, Choudhary & Kumar, 2016).
Reflected XSS is also executed with the aid of malicious input that is sent in the form of the
request. Phishing and social engineering techniques are used to place requests to the web
server that include XSS payload.
Impact in Software Security
XSS is a form of an attack that is versatile in nature and paves way for numerous social
engineering attacks and client-side issues. XSS provides the attackers with the ability to
hijack the user accounts by capturing the specific cookies associated with the web sessions.
This leads to the exposure of private and confidential information in front of the attackers.
The attackers may also make use of impersonation techniques to cause further damage. XSS
vector also makes use of HTML and JavaScript to capture the account credentials of the users
in place of the cookies. One of the ways to execute the same is to clone the login page of the
specific web site or web application and the execution of XSS payload thereafter. There are
2

Software Security
other unauthorised activities that may be given shape by XSS attacks, for instance, siphoning
funds.
The impact of such occurrences is extremely negative on the end-users and other associated
entities. The private, sensitive, and confidential information sets get exposed to the
unauthorized entities that may misuse the same to cause further damage. There may be legal
obligations that may come up for the business organizations responsible for preserving the
user data and information as an outcome.
Set of Countermeasures
There are numerous measures that shall be adopted to control and prevent XSS attacks.
Escaping user input is one the primary measures that must be followed. It refers to the
process of taking the application data and making sure that the data is safe and secure before
transferring the same to the end user. In this process, key characteristics and attributes of the
data sets will be secured to ensure that none of the malicious activities take place. The
censoring of the data is carried out by protecting the key characters, such as < and > from
being modified or captured so that there is no damage caused to the application.
Another method that may be adopted is the validation of the input. Input validations along
with whitelisting are some of the measures that may be used to validate the data input to
prevent XSS attacks. Blacklisting is a process that is followed to check and disallow the
known characters in the data input. On the other hand, whitelisting only allows good
characters that are known in advance to prevent the attacks from taking place. Validation of
the inputs can also yield significant results in the prevention of XSS and may be used in
forms. The validations will ensure that the special characters are not added in the form fields.
It may be used to reduce the impacts of the attacks.
Sanitization of the user input is another measure that may be used to prevent the XSS attacks.
It is a defense mechanism that shall be combined with other measures to put a check on these
attacks. It has given successful results in the websites that allow HTML mark-up. The
unacceptable user input is modified in an acceptable format under this measure to make sure
that the input does not cause any harm to the user or the database (Wang & Zhang, 2016).
3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Software Security
References
Gupta, S., & Sharma, L. (2012). Exploitation of Cross-Site Scripting (XSS) Vulnerability on
Real World Web Applications and its Defense. International Journal Of Computer
Applications, 60(14), 28-33. http://dx.doi.org/10.5120/9762-3594
Shrivastava, A., Choudhary, S., & Kumar, A. (2016). XSS vulnerability assessment and
prevention in web application. 2016 2Nd International Conference On Next
Generation Computing Technologies (NGCT).
http://dx.doi.org/10.1109/ngct.2016.7877529
Wang, X., & Zhang, W. (2016). Cross-site scripting attacks procedure and Prevention
Strategies. MATEC Web Of Conferences, 61, 03001.
http://dx.doi.org/10.1051/matecconf/20166103001
4