6. XSS formal description
Types – at least two primary flavors
• Non-persistent (or reflected)
• Persistent (or stored)
Typical impact
• Steal user’s session (hijack session)
• Rewrite web page
• Redirect user to phishing or malware site
• Most Severe: Install XSS proxy
11. Reflected XSS Illustrated
Attacker send the victim a misleading email with a link
1
containing malicious JavaScript
12. Reflected XSS Illustrated
When the victim clicks on the
link, the HTTP request is initiated
from the victim's browser and
sent to the vulnerable Web
application. 2
Attacker send the victim a misleading email with a link
1
containing malicious JavaScript
13. Reflected XSS Illustrated
The malicious JavaScript is then
reflected back to the victim's browser,
where it is executed in the context of
When the victim clicks on the the victim user's session
link, the HTTP request is initiated
from the victim's browser and 3
sent to the vulnerable Web
application. 2
Attacker send the victim a misleading email with a link
1
containing malicious JavaScript
17. Prevention of XSS Attack – part 1
• Input Validation
• Canonicalize data first
• Prevent encoded attacks
• Black list testing is no solution
• Black lists are never complete!
• White list testing is better
• Only what you expect will pass
• Regular expressions
• HTML Encoding
• HTML encoding of all input when put into output pages
18. Prevention of XSS Attack – Multiple contexts
Browser have multiple contexts that must be considered!
HTML HTML <STYLE> <SCRIPT> URL
Body Attributes Context Context Context
19. Prevention of XSS Attack – Session Hijacking
• Session hijacking
• “HttpOnly" Cookies
• "secure" Cookies. Cookies are only sent over SSL
• Disable TRACE
• References:
• http://www.owasp.org/index.php/XSS_(Cross Site Scripting) Prevention
Cheat Sheet
• http://ha.ckers.org/xss.html
• http://www.owasp.org/index.php/ESAPI