Occurs any time…
• Raw data from attacker is sent to an innocent user
Raw data…
• Stored in database
• Reflected from web input (form field, hidden field, url, etc…)
• Sent directly into rich JavaScript client
• Virtually every web application has this problem
• Try this in your browser – javascript:alert(document.cookie)
Stored XSS
Reflected XSS
Business Impact of XSS
Attackers can…
Steal user sessions for complete account takeover.
Steal data on web pages viewed by victim.
Deface pages viewed by victim.
Use web pages for phishing.
Finding XSS
• Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there are too many to mention.
• Using 'Google Dorks„ search inurl: inurl:"search.php5q="
• XSS Examples
http://site.com/search.php5q=<script>alert("XSS")</script>
http://site.com/search.php5q=<script>window.open( "http://www.google.com/" )</script>
Finding XSS
• Be sure that there is plan for input validation & encoding.
• Be sure that it accepts all input data.
• Positive Validation for all untrusted input fields.
• HTML entity encoding method.
• Raw data from attacker is sent to an innocent user
Raw data…
• Stored in database
• Reflected from web input (form field, hidden field, url, etc…)
• Sent directly into rich JavaScript client
• Virtually every web application has this problem
• Try this in your browser – javascript:alert(document.cookie)
Stored XSS
Reflected XSS
Business Impact of XSS
Attackers can…
Steal user sessions for complete account takeover.
Steal data on web pages viewed by victim.
Deface pages viewed by victim.
Use web pages for phishing.
Finding XSS
• Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there are too many to mention.
• Using 'Google Dorks„ search inurl: inurl:"search.php5q="
• XSS Examples
http://site.com/search.php5q=<script>alert("XSS")</script>
http://site.com/search.php5q=<script>window.open( "http://www.google.com/" )</script>
Finding XSS
• Be sure that there is plan for input validation & encoding.
• Be sure that it accepts all input data.
• Positive Validation for all untrusted input fields.
• HTML entity encoding method.