SlideShare a Scribd company logo

Cross site scripting

Download as PPTX, PDF
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional

Cross-site scripting (XSS) is a type of web application vulnerability where malicious scripts are injected into otherwise benign web pages. There are three main types of XSS attacks: stored XSS, reflected XSS, and DOM-based XSS. XSS vulnerabilities have affected many major websites and can enable account hijacking, cookie theft, and other malicious activities. Developers can prevent XSS by encoding untrusted inputs, validating inputs, and using security libraries that filter malicious scripts.

Software
1 of 15
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Cross site scripting
What is cross-site scripting? • Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source
Why should I care about cross-site scripting? • The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
Who’s affected by cross-site scripting? • Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) : • Universal XSS in Internet Explorer (2015) [1] • Tweetdeck (2014) [2] • PayPal (2013) – BONUS: discovered by a 17 year old kid [3] • Google Finance (2013) [4] • 25 “Verasign-secured” online stores (2012) [5] • McAfee (2011) [6] • Visa (2010) [7]
Bielive it or not : • 45884 total xss • 3026 fixed
Type of XSS : • XSS can be used in a range of ways to cause serious problems. 1 : Stored XSS : The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application. 2 : Reflected XSS: The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request 3 : DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM)
Reflected XSS: • <?php (!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){ • $isempty = true; • } { • • echo '<pre>'; • echo 'Hello ' . $_GET['name']; • echo '</pre>'; } • http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3 Ealert%28%22hello%22%29%3C%2Fscript%3E#
Stored XSS :
DOM XSS : this page was to search page Attacker Inject Code that display image intead of search victum see a image
Some example how XSS serve :
Cross site scripting
Methods of preventing XSS • Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below: • & –> &amp; • < –> &lt; • > –> &gt; • ” –> &quot; • ‘ –> &#x27; • / –> &#x2F; • Validation : which filters the user input so that the browser interprets it as code without malicious commands
Open Source Libraries for Preventing XSS Attacks • PHP AntiXSS : his is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. • xss_clean.php filter : This is a strong XSS filter that cleans various URF encodings and nested exploits. • HTML Purifier : This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks. • XSS Prevention Rules by OWASP
Refrence : • 1 : https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • 2: https://en.wikipedia.org/wiki/Cross-site_scripting • 3 : https://www.acunetix.com/websitesecurity/xss/ • 4 : http://excess-xss.com/ • 5:https://www.google.com.pk/search?q=Persistent+XSS&source=lnms&tb m=isch&sa=X&ved=0ahUKEwi2hqXdjpzTAhWCro8KHRF7AdUQ_AUICCgB& biw=1366&bih=676#imgdii=x-ReLnly4hYDrM:&imgrc=v0wp7b1CE1M5sM: • 6 : https://www.acunetix.com/websitesecurity/cross-site-scripting/
Refrence : • 7 : https://code.google.com/p/php-antixss/ • 8:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventi on_Cheat_Sheet

More Related Content

What's hot (20)

PDF
Cross site scripting
n|u - The Open Security Community
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
PPTX
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPTX
Sql injection - security testing
Napendra Singh
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
PDF
The Cross Site Scripting Guide
Daisuke_Dan
 
PPTX
DNS spoofing/poisoning Attack
Fatima Qayyum
 
PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
PPTX
Cross Site Scripting (XSS)
Barrel Software
 
PDF
Web application vulnerabilities
ebusinessmantra
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPTX
Xss attack
Manjushree Mashal
 
PPTX
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
PPT
Cross Site Request Forgery
Tony Bibbs
 
PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
Cross site scripting
n|u - The Open Security Community
 
Waf bypassing Techniques
Avinash Thapa
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
HackIT Ukraine
 
File upload vulnerabilities & mitigation
Onwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Sql injection - security testing
Napendra Singh
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
The Cross Site Scripting Guide
Daisuke_Dan
 
DNS spoofing/poisoning Attack
Fatima Qayyum
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Cross Site Scripting (XSS)
Barrel Software
 
Web application vulnerabilities
ebusinessmantra
 
Deep dive into ssrf
n|u - The Open Security Community
 
Xss attack
Manjushree Mashal
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
Cross Site Request Forgery
Tony Bibbs
 
Understanding Cross-site Request Forgery
Daniel Miessler
 

Similar to Cross site scripting (20)

PPTX
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
PPTX
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
PPTX
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
PPTX
Xss ppt
penetration Tester
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
PDF
Report on xss and do s
mehr77
 
DOCX
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
PPTX
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
PPTX
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
PDF
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
PPTX
Cm7 secure code_training_1day_xss
dcervigni
 
PPTX
Codeinjection
Nitish Kumar
 
PPTX
Cross Site Scripting (XSS)
OWASP Khartoum
 
PDF
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
PPTX
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
PDF
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PDF
XSS Injection Vulnerabilities
Mindfire Solutions
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Web hacking refers to exploitation of applications via HTTP which can be done
ssuserf8636d
 
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Xss ppt
penetration Tester
 
Session7-XSS & CSRF
zakieh alizadeh
 
Report on xss and do s
mehr77
 
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoi...
jafixew160
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
Prevention of Cross-Site Scripting using Hash Technique
IJCSIS Research Publications
 
Cm7 secure code_training_1day_xss
dcervigni
 
Codeinjection
Nitish Kumar
 
Cross Site Scripting (XSS)
OWASP Khartoum
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Editor IJCATR
 
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
XSS Injection Vulnerabilities
Mindfire Solutions
 
Ad

Recently uploaded (20)

PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PPTX
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
PDF
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PPTX
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PDF
Introduction to Apache Iceberg™ & Tableflow
Alluxio, Inc.
 
PPTX
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PDF
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
PDF
Code and No-Code Journeys: The Maintenance Shortcut
Applitools
 
PDF
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
PPTX
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
PDF
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PPTX
Function & Procedure: Function Vs Procedure in PL/SQL
Shani Tiwari
 
PDF
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
PPTX
BB FlashBack Pro 5.61.0.4843 With Crack Free Download
cracked shares
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Introduction to Apache Iceberg™ & Tableflow
Alluxio, Inc.
 
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
Code and No-Code Journeys: The Maintenance Shortcut
Applitools
 
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
Function & Procedure: Function Vs Procedure in PL/SQL
Shani Tiwari
 
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
BB FlashBack Pro 5.61.0.4843 With Crack Free Download
cracked shares
 
Ad

Cross site scripting

  • 2. What is cross-site scripting? • Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source
  • 3. Why should I care about cross-site scripting? • The consequences of what an attacker can do with the ability to execute JavaScript on a web page may not immediately stand out, especially since browsers run JavaScript in a very tightly controlled environment and that JavaScript has limited access to the user’s operating system and the user’s files.
  • 4. Who’s affected by cross-site scripting? • Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) : • Universal XSS in Internet Explorer (2015) [1] • Tweetdeck (2014) [2] • PayPal (2013) – BONUS: discovered by a 17 year old kid [3] • Google Finance (2013) [4] • 25 “Verasign-secured” online stores (2012) [5] • McAfee (2011) [6] • Visa (2010) [7]
  • 5. Bielive it or not : • 45884 total xss • 3026 fixed
  • 6. Type of XSS : • XSS can be used in a range of ways to cause serious problems. 1 : Stored XSS : The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application. 2 : Reflected XSS: The second, and by far most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request 3 : DOM-based XSS: DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client side scripts write user provided data to the Document Object Model (DOM)
  • 7. Reflected XSS: • <?php (!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){ • $isempty = true; • } { • • echo '<pre>'; • echo 'Hello ' . $_GET['name']; • echo '</pre>'; } • http://192.168.182.136/dvwa/vulnerabilities/xss_r/?name=bilal%3Cscript%3 Ealert%28%22hello%22%29%3C%2Fscript%3E#
  • 9. DOM XSS : this page was to search page Attacker Inject Code that display image intead of search victum see a image
  • 10. Some example how XSS serve :
  • 12. Methods of preventing XSS • Encoding : First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below: • & –> &amp; • < –> &lt; • > –> &gt; • ” –> &quot; • ‘ –> &#x27; • / –> &#x2F; • Validation : which filters the user input so that the browser interprets it as code without malicious commands
  • 13. Open Source Libraries for Preventing XSS Attacks • PHP AntiXSS : his is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. • xss_clean.php filter : This is a strong XSS filter that cleans various URF encodings and nested exploits. • HTML Purifier : This is a standard HTML filtering library written in PHP. It removes all malicious code from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks. • XSS Prevention Rules by OWASP
  • 14. Refrence : • 1 : https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • 2: https://en.wikipedia.org/wiki/Cross-site_scripting • 3 : https://www.acunetix.com/websitesecurity/xss/ • 4 : http://excess-xss.com/ • 5:https://www.google.com.pk/search?q=Persistent+XSS&source=lnms&tb m=isch&sa=X&ved=0ahUKEwi2hqXdjpzTAhWCro8KHRF7AdUQ_AUICCgB& biw=1366&bih=676#imgdii=x-ReLnly4hYDrM:&imgrc=v0wp7b1CE1M5sM: • 6 : https://www.acunetix.com/websitesecurity/cross-site-scripting/
  • 15. Refrence : • 7 : https://code.google.com/p/php-antixss/ • 8:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventi on_Cheat_Sheet