Cross Site Scripting and its Issues By Odion Oisamoje
Dec 31, 2015
Cross Site Scripting and its IssuesBy
Odion Oisamoje
What is XSS
Is a vulnerability that enables an attacker lure a computer user to download malicious JavaScript code from a trusted site.
Types of XSS
0Persistent Attack is stored on the website’s server. Do not have to go through a link
0Non-persistent Most common User has to go through a special link to be exposed Code does not get stored on the server
Types of XSS cont.
Figure 1: A typical reflected or non-persistent cross site scripting scenario
Type of XSS Cont.
0DOM-based An emerging area Attacker code does not have to pass though the server to
affect the visitor
How it Works
0http://www.youtube.com/watch?v=r79ozjCL7DA
Famous Attack
0 “In 2005, a MySpace user named Samy discovered a unique way to expand hi buddy list. Within 24 hours, the number of friends in his page grew from 73 to more than 1 million. He achieved this instant popularity by creating the first self-propagating cross-site scripting (XSS) worm and by exploiting the lax security in many Web browsers” (Monthie, 2008).
Prevention – Detection – Response
0Reduce Impact0Sanitize input0Work back to the source
Input sanitation and validation on JavaScript code0Be proactive
References
0 Monthie, B. (2008). What, who, when, where, why, how of XSS. Network World, 25(28), 26. Retrieved from EBSCOhost.
0 Cross-site Scripting (XSS). (2010, October 10). Retrieved April 15, 2011, from The Open Web Application Security Project (OWASP): https://www.owasp.org
Q & A