SlideShare a Scribd company logo

Cross site scripting

Download as PPTX, PDF
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional

Cross-site scripting (XSS) is a type of web application vulnerability where malicious scripts are injected into otherwise benign web pages. There are three main types of XSS attacks: stored XSS, reflected XSS, and DOM-based XSS. XSS vulnerabilities have affected many major websites and can enable account hijacking, cookie theft, and other malicious activities. Developers can prevent XSS by encoding untrusted inputs, validating inputs, and using security libraries that filter malicious scripts.

1 of 15
Downloaded 14 times
Cross site scripting
What is cross-site scripting? • Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source
Why should I care about cross-site scripting? • The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
Who’s affected by cross-site scripting? • Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) : • Universal XSS in Internet Explorer (2015) [1] • Tweetdeck (2014) [2] • PayPal (2013) – BONUS: discovered by a 17 year old kid [3] • Google Finance (2013) [4] • 25 “Verasign-secured” online stores (2012) [5] • McAfee (2011) [6] • Visa (2010) [7]
Bielive it or not : • 45884 total xss • 3026 fixed
Type of XSS : • XSS can be used in a range of ways to cause serious problems. 1 : Stored XSS : The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application. 2 : Reflected XSS: The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request 3 : DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM)
Reflected XSS: • <?php (!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){ • $isempty = true; • } { • • echo '<pre>'; • echo 'Hello ' . $_GET['name']; • echo '</pre>'; } • http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3 Ealert%28%22hello%22%29%3C%2Fscript%3E#
Stored XSS :
DOM XSS : this page was to search page Attacker Inject Code that display image intead of search victum see a image
Some example how XSS serve :
Cross site scripting
Methods of preventing XSS • Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below: • & –> &amp; • < –> &lt; • > –> &gt; • ” –> &quot; • ‘ –> &#x27; • / –> &#x2F; • Validation : which filters the user input so that the browser interprets it as code without malicious commands
Open Source Libraries for Preventing XSS Attacks • PHP AntiXSS : his is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. • xss_clean.php filter : This is a strong XSS filter that cleans various URF encodings and nested exploits. • HTML Purifier : This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks. • XSS Prevention Rules by OWASP
Refrence : • 1 : https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • 2: https://en.wikipedia.org/wiki/Cross-site_scripting • 3 : https://www.acunetix.com/websitesecurity/xss/ • 4 : http://excess-xss.com/ • 5:https://www.google.com.pk/search?q=Persistent+XSS&source=lnms&tb m=isch&sa=X&ved=0ahUKEwi2hqXdjpzTAhWCro8KHRF7AdUQ_AUICCgB& biw=1366&bih=676#imgdii=x-ReLnly4hYDrM:&imgrc=v0wp7b1CE1M5sM: • 6 : https://www.acunetix.com/websitesecurity/cross-site-scripting/
Refrence : • 7 : https://code.google.com/p/php-antixss/ • 8:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventi on_Cheat_Sheet
Ad

Recommended

Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Manish Kumar
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
Soumyasanto Sen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Ad

More Related Content

What's hot (20)

Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
Soumyasanto Sen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
Soumyasanto Sen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 

Similar to Cross site scripting (20)

XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
dcervigni
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptxXSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be doneWeb hacking refers to exploitation of applications via HTTP which can be done
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
dcervigni
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Ad

Recently uploaded (20)

The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Ad

Cross site scripting

  • 2. What is cross-site scripting? • Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source
  • 3. Why should I care about cross-site scripting? • The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
  • 4. Who’s affected by cross-site scripting? • Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) : • Universal XSS in Internet Explorer (2015) [1] • Tweetdeck (2014) [2] • PayPal (2013) – BONUS: discovered by a 17 year old kid [3] • Google Finance (2013) [4] • 25 “Verasign-secured” online stores (2012) [5] • McAfee (2011) [6] • Visa (2010) [7]
  • 5. Bielive it or not : • 45884 total xss • 3026 fixed
  • 6. Type of XSS : • XSS can be used in a range of ways to cause serious problems. 1 : Stored XSS : The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application. 2 : Reflected XSS: The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request 3 : DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM)
  • 7. Reflected XSS: • <?php (!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){ • $isempty = true; • } { • • echo '<pre>'; • echo 'Hello ' . $_GET['name']; • echo '</pre>'; } • http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3 Ealert%28%22hello%22%29%3C%2Fscript%3E#
  • 9. DOM XSS : this page was to search page Attacker Inject Code that display image intead of search victum see a image
  • 10. Some example how XSS serve :
  • 12. Methods of preventing XSS • Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below: • & –> &amp; • < –> &lt; • > –> &gt; • ” –> &quot; • ‘ –> &#x27; • / –> &#x2F; • Validation : which filters the user input so that the browser interprets it as code without malicious commands
  • 13. Open Source Libraries for Preventing XSS Attacks • PHP AntiXSS : his is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. • xss_clean.php filter : This is a strong XSS filter that cleans various URF encodings and nested exploits. • HTML Purifier : This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks. • XSS Prevention Rules by OWASP
  • 14. Refrence : • 1 : https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • 2: https://en.wikipedia.org/wiki/Cross-site_scripting • 3 : https://www.acunetix.com/websitesecurity/xss/ • 4 : http://excess-xss.com/ • 5:https://www.google.com.pk/search?q=Persistent+XSS&source=lnms&tb m=isch&sa=X&ved=0ahUKEwi2hqXdjpzTAhWCro8KHRF7AdUQ_AUICCgB& biw=1366&bih=676#imgdii=x-ReLnly4hYDrM:&imgrc=v0wp7b1CE1M5sM: • 6 : https://www.acunetix.com/websitesecurity/cross-site-scripting/
  • 15. Refrence : • 7 : https://code.google.com/p/php-antixss/ • 8:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventi on_Cheat_Sheet