Prevalent & Pernicious: XSS

Document created by RSA Admin Employee on Sep 21, 2012Last modified by RSA Admin Employee on Sep 21, 2012
Version 2Show Document
  • View in full screen mode

Of all the vulnerability, the most widespread and harmful Web application security vulnerability is Cross Site Scripting attacks (XSS).


Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site.


Example of malicious code

  1. Modification of the Document Object Model - DOM (change some links, add some buttons)
  2. Send personal information to thirds (JavaScript can send cookies to other sites)

Three types of Cross Site Scripting

  1. Reflected
  2. Stored
  3. DOM injection


Reflected XSS

  1. The easiest exploit.
  2. A page will reflect user supplied data directly back to the user

So when the user types:

<script type="text/javascript">

alert("Hello World");


         He receives an alert in his browserDanger

  1. If the URL (containing GET parameters) is delivered by a third to the victim
  2. The Victim will access a modified page
  3. SSL certificate and security warning are OK!


Stored XSS

Hostile Data is taken and stored

  1. In a file
  2. In a Database
  3. In any other backend system

Then Data is sent back to any visitor of the web site Risk when large number of users can see unfiltered content

  1. Very dangerous for Content Management Systems (CMS)
  2. Blogs
  3. Forums



  1. Document Object Model
  2. The document is represented using a tree
  3. The tree is rooted with the document node
  4. Each tag and text is part of the tree
  5. XSS Modifies the Document Object Model (DOM)
  6. JavaScript can manipulate all the document
  7. It can create new nodes,
  8. Remove existing nodes
  9. Change the content of some nodes



Reducing the threat

  1. Encoding/escaping of string input
  2. Safely validating untrusted HTML inputs.
  3. Cookie Security.
  4. Disabling Scripts
  5. Defensive Technologies. (Mozilla Content Security Technologies, JS Sandbox tools, Auto Escaping tools etc)



Recent XSS Attacks:

GoDaddy recently went down with DOS attack by Anonymous Hacker. After GoDaddy CEO declined any such hacks by anonymous, they again penetrated with XSS hacks.