3. WHAT IS CROSS SITE
SCRIPTING..??
According to current statistics, Cross Site Scripting (XSS) is
one of the most widespread security problems today.
XSS is an attack technique that forces a website to echo
attacker-supplied executable code, which then loads in a
user’s Web browser.
The server is merely the host, while the attack executes
within the Web browser.
Samy worm1 became the first major worm to use Cross-
Site Scripting for infection propagation. Sunday, July 27,
2014
3
4. WHAT IS CROSS SITE-SCRIPTING..??
AN ATTACKER
1. Anonymous Internet User
2. Malicious Internal User
A WEB SEREVER
External (e.g.: Social networking website, Shop,
Information). Internal (e.g.: Employees Self Service Portal)
A CLIENT
• Any type of customer
• Anonymous user accessing the Web-Server
Sunday, July 27,
2014
4
5. TYPES OF XSS
• PERSISTENT
a) It does not require specially crafted links for execution
b) A hacker merely submits XSS exploit code to an area
of a website that is likely to be visited by other users.
c) These areas could be blog comments, user reviews,
message board posts etc
d) Persistent XSS much more dangerous than non-
persistent because the user has no means of defending
himself
Sunday, July 27,
2014
5
6. TYPES OF XSS..
• USED TRICK SOME WAY
TO OPEN THE LINK.
Sunday, July 27,
2014
6
7. TYPES OF XSS..
• NON – PERSISTENT
The non-persistent cross-site scripting
vulnerability is by far the
most common type.
Sunday, July 27,
2014
7
8. TYPES OF XSS..
• EMBEDDED HTML TAGS
• Several HTML tags possess attributes
that initiate Web browser HTTP requests
automatically upon page load
• This is done by finding an unvalidated
request parameter that is reflected into the
response header
Sunday, July 27,
2014
8
9. PREVENTION..
The first and most effective solution is to disable all
scripting language proxy servers can help filter out
malicious scripting in HTML.
Four approaches of prevention against XSS:
a) USERS
b) CUSTOMER WEB APPLICATIONS
c) SECURITY PROFESSIONALS
d) BROWSER SECURITY
Sunday, July 27,
2014
9
10. PREVENTION
USERS :
Exercise caution when clicking on links
Install some browser add-ons such as NoScript25 or the Netcraft
Toolbar26
avoiding questionable websites such as those offering hacking information
etc.
CUSTOMER WEB APPLICATIONS :
developers must focus on performing rock solid Input Validation on all
user-submitted content
Protect sensitive functionality from being executed from third-party websites
Code must contain no javascript
Sunday, July 27,
2014
10
11. PREVENTION..
SECURITY PROFESSIONALS
a. The only way to determine if your security practices are providing
adequate safeguards is to measure them and measure often
b. It may take tens, if not hundreds, of thousands of security tests to
properly assess the security of a website
BROWSER VENDORS
a. Mozilla (Firefox), Microsoft and Opera development teams must begin
formalizing and implementing Content-Restrictions
b. Mozilla (Firefox) developer, please implement http Only. It’s been around
for years! Sunday, July 27,
2014
11
12. WORST CASE SCENARIO
An attacker can use your web site to
launch attacks against your users.
A cross-site Scripting vulnerability in
one server in your domain presents a risk
to others in its environment since it can
become a launching pad for attacks
against other servers. Sunday, July 27,
2014
12
13. WORST CASE SCENARIO
• Example of how
websites include
google adsense
using javascript
Sunday, July 27,
2014
13
14. CONCLUSION
• Malware authors are contend to experiment with the
new possiblities.
• The techniques of the malware authors dramatically
improved as propagation becomes faster.
• Payload becomes more severe with the introuction of
backdoors,rootkits and botnets.
• XSS malware is in it's early stage of exploration.
Sunday, July 27,
2014
14
15. CONCLUSION
• The first major XSS worm which was successful
experiment in propagation was the samy worm
• If history continues to repeat itself it is safe to say we
will witness and increased volume of XSS malware
outbreaks
• Who is responsible...???
• The business owner who operates a business application
is in charge for secure operation.
Sunday, July 27,
2014
15
16. CONCLUSION
• Every piece of software could be vulnerable if developer
doesn't do his homework in terms of security.
• A process is required that insures that security is
considered throughout the complete life cycle of the
application.
• GISWS survey showed that 51% of those surved feel
that internal employees are indeed the bigger threat
• Undetected and unchecked exploitation can also lead to
implantation of malicious software giving malicious attacker
the ability to attack any time
Sunday, July 27,
2014
16