XSS Attacks

Cross Site Scripting Attacks

Presented by:

Syed Muhammad Taha

      Saad Abbasi

Presented to:

Dr. Saleem Ahmed Phul

XSS

  • ​A client-side code injection attack.
  • Attacker Executes malicious scripts into a legitimate website or web app.
  • The most rampant of web application vulnerabilities.

Source: Acunetix

Two-third

  • More than

of web vulnerabilities are 

XSS

related.

  • Famous sites that are affected by XSS, include 

Twitter, Facebook, MySpace, YouTube

How Much Rampant?

12.75%

  • Almost

of web attacks are XSS.

Source: Barricade

Languages

  • XSS can be taken advantage of within 

VBScript,

ActiveX, Flash.

  • The most widely abused language is 

JavaScript.

Types of XSS Attacks

  • Server XSS 
  • Client XSS

Server XSS

  • When untrusted user supplied data is included in an HTML response generated by the server.

  • The source of this data could be from the request, or from a stored location.

  • The source of this data could be from the request, or from a stored location.

Client XSS

  • When untrusted user supplied data is used to update the DOM with an unsafe JavaScript call.

  • A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM.

  • This source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load)

Types of XSS Attacks

Well, How Serious XSS could be?

If XSS got injected then a hacker could:

  • use the credibility of your site to run a phishing scheme

  • steal your users' passwords

  • hijack your users' sessions

  • try to launch an attack against the site administrator (you)

  • redirect your users to another site (gambling, Google, affiliate link, whatever)

  • display inappropriate or mis-informative messages to your users

  • Or anything else that could be done with client-side executable code

  

Source: 12robots

XSS Demo

XSS Prevention Rules

  • Rule#0 - Never Insert Untrusted Data Except in Allowed Locations
  • ​Rule#1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
  • RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  • RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
  • RULE #4 - CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
  • RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
  • RULE #6 - Sanitize HTML Markup with a Library Designed for the Job
  • RULE #7 - Prevent DOM-based XSS

Source: owasp

Made with Slides.com