Cross Site Scripting

Cross-site scripting, also known as XSS, is a type of security vulnerability typically found in Web applications. It occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content. Browsers are capable of displaying HTML content and executing JavaScript. If the application does not escape special characters in the input/output and sends the user input back to the browser, an attacker may be able to launch an XSS attack successfully. Through which malicious files can be executed, session details of a logged in user can be stolen, or Trojans can be installed.

Types of XSS: The non-persistent (or reflected) cross-site scripting vulnerability is the most common type. A non-persistent XSS vulnerability occurs when the data provided by the attacker is immediately executed and a generated page is returned to that user. The persistent (or stored) XSS vulnerability occurs when the data provided by the attacker is saved in the server, and permanently displayed on web pages returned to other users. Another type of XSS attack is DOM Based XSS. DOM Based XSS (type-0 XSS) is an attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser.

How to Perform XSS Testing:

  • Submitting malicious script through text inputs
    • List out all the text input fields [Text box, Text area] in the application.
    • Submit simple java script code, like ‘<script>alert(“XSS”)</script> through each identified text input fields.
    • If the text box is vulnerable, an alert with the text mentioned in the quotes will be returned.XXX_testingXXX_testing_requestXXX_testing_input
  • Submitting malicious script through an application url
    • Modifying the requests using security testing tools like Burp Suite to test for application vulnerability
    • Capture the request using Burp tool
    • Append malicious script in the captured request
    • ‘Forward’ the modified url
    • Validate the result

How to prevent

XSS attacks are possible mainly because the server is not handling special characters in the output.

There are 2 broad strategies for defeating XSS:

Whitelisting Good inputs

Whitelist: Create a whitelist of characters required by the application. Once the whitelist is ready, the application should disallow all requests containing any character apart from those in the list.

Blacklisting Bad input

Blacklist: Application should not accept any script, special character or HTML in fields whenever not required. It should escape special characters that may prove to harmful. Some of the special characters used in script that must be escaped are: <>()[]{}/\*;:=%+^!



Author: InApp
We are a custom software development company offering Testing Services, Application Development, Mobility Solutions & more. Customers: Startups - Fortune 500

Leave a Reply

4 + six =