Page 2 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

Cross Site Scripting (XSS) in Action

Felician ALECU, PhD, Lecturer

Department of Economic Informatics and Cybernetics
The Bucharest University of Economic Studies, Romania
E-mail: alecu[at]ase[dot]ro; Web Page: http://alecu.ase.ro

Abstract: Cross Site Scripting (XSS) is the most common security

vulnerability that can be found in web applications of today.
Any web application that is generating an output based on
the user’s input but without validating the content is virtually
exposed to XSS. The user input validation by filtering and
escaping is the most effective way to prevent the XSS
attacks.

Keywords: XSS, Cross Site Scripting, filtering, escaping, XSS attack,

XSS example.

XSS Overview
XSS (Cross Site Scripting) is one of the most common security
threats of the web applications from today. According to the Web Hacking
Incident Database for 2011 [1], XSS is occupying the third place (7.3%)
in the all the time top (1999-2011) of the attack methods, as illustrated
into the chart below.
Page 3 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

Figure 1 — Top Attack Methods All the Time (1999-2011) [1]

XSS is a method used to steal data from users by infecting the web
pages with malicious scripts (VBScript, JavaScript, ActiveX, Flash) in
order to collect sensitive content from the victim. XSS is aiming the
dynamic web pages that are interpreted by the web-browsers, so the
malicious scripts will be executed locally on the user’s machine and
sensitive data gathered in this way will be transferred from the victim’s
computer to the attacker’s location. Usually, attackers spread malicious
links over the internet, waiting for the users to click [2].
Page 4 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

Typical XSS Attack

It is quite clear until now that the attacker doesn’t need to have
access to the web server hosting the application since he is modifying
only the response page by including some scripts inside. Moreover, the
user will be fooled to run these scripts on his local machine, in this way
the attacker will gain access to the desired sensitive content. Any page
that is implementing forms or dynamic links is vulnerable to such
attacking methods.

The next illustration (Figure 2) describes the pattern of a typical XSS

attack.

Figure 2 – Typical XSS Attack [3]

Most of the XSS attacks are using the <SCRIPT> tag in order to
activate the malicious content on the user’s web page that is interpreted
locally. The tag may activate an embedded script or an external one:

 embedded, <SCRIPT>alert("XSS - Cross Site Scripting")</

SCRIPT>
Page 5 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

 external, <SCRIPT SRC=http://some.evil.site.com/xss.js></

SCRIPT>

There are other HTML tags where the script can be injected [4], like
BODY, IMG, LINK, INPUT, TABLE, DIV, OBJECT, EMBED, and so on .

Typical XSS Attack - Example

What are the exposed applications to XSS? Actually any web
application that is generating an output based on the user’s input but
without validating the content is virtually exposed to XSS.

The typical example covers the applications that are using queries
with parameters. In order to allow the bookmarking, usually the values of
the parameters are placed inside the URL.

Let’s imagine a very simple search engine where the user is using a
textbox to provide the text to be located and, by pressing the search
button, the application will show the text together with the list of the
results.

http://www.mysearchtool.org/locate.php?searchstring=XSS

By providing a link including a script definition as the search string,

when the web page will try to display the text, it will actually execute the
script, so the attacker will be able to gather sensitive data stored on the
innocent user’s computer.

http://www.mysearchtool.org/locate.php?searchstring=<script>alert
(―XSS‖)</script>

How to prevent such situations? The answer is very simple: any web
application that is displaying the user input must validate the content
before being included into the output page. Normally, the web server
Page 6 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

should filter the user input in order to remove the content that may
create problems.

XSS Attack – A real Life Example

In order to provide a real life example, I’ve tried to locate a
Romanian website that also has an English section, so I chose the Law
School of the Bucharest University, the most important law school [5]
from Romania (Figure 3) - http://www.drept.unibuc.ro/index-en.htm.

The users may log-on to the website to have access to some

restricted areas (schedule, marks, taxes, fees, etc.), so the web
application is locally storing a cookie used to identify the student identity
for the next visits from the same machine.

Figure 3 – The Law School, ABOUT page

Page 7 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

In the upper-right part of the page, there is a search box that can be
used to quickly locate a specific content. For example, if the user is
interested to find out resources related to european legislation, the
search box could be a very convenient option (Figure 4).

Figure 4 – The SEARCH results

As we can notice, the page contains not only the results, but also the
originally entered string, so it seems to be a very good candidate for an
XSS attack.

We will use the search box located into the upper-right part of the
page in order to inject a java script able to reveal the user’s cookie
content (Figure 5) - <script>alert(document.cookie)</script>.
Page 8 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

Figure 5 – The script entered into the search box

With minimum efforts, the application is revealing the sensitive

details, as illustrated into the Figure 6.

Figure 6 – The cookie content

Page 9 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

As we can see, it appears pretty easy for an attacker to steal the

identity of the currently logged student. What can the attacker do with
the cookie? Well, the answer to this question will be the subject of a
future article

Conclusions
The XSS attacks are very common today mainly because the
technique is very simple and the results appear quite easy, as we saw in
the example presented above. How to prevent such attacks? The answer
is the validation of the user input.

The first step will be to filter the content by removing any dangerous
keyword, like the <SCRIPT> tag. This can be done by adding some code
to the web application or by using dedicated libraries. Of course the
filters may remove also some valid text, so such filters must be used with
care.

Secondly, the escaping can be used to indicate to the browser the

data should not be interpreted in any way, so the browser will not
execute the script, even if it is correctly injected into the code.

Finally, the web application must be properly tested against XSS

vulnerabilities [6]. For this reason, an automated XSS scanner is
recommended to be used .

References
[1] Web Hacking Incident Database - http://
projects.webappsec.org/w/page/13246995/Web -Hacking-
Incident-Database

[2] XSS Attacks: Cross-site Scripting Exploits and Defense - http://

books.google.ro/books?id=Imt5Crr0jJcC&redir_esc=y
Page 10 Oeconomics of Knowledge, Volume 4, Issue 3, 3Q, Summer 2012

[3] Cross Site Scripting Attack - http://www.acunetix.com/

websitesecurity/cross-site-scripting.htm

[4] Felician Alecu, Securitatea în Internet, Informatică Economică,

3/2006, pp. 5 – 8, Editura ASE, București, 2006

[5] The Law School of the University of Bucharest - http://

www.drept.unibuc.ro/index-en.htm

[6] Preventing XSS Attacks - http://www.acunetix.com/blog/web-

security-zone/articles/preventing-xss-attacks/