IITM Journal of management and IT
  • Year: 2014
  • Volume: 5
  • Issue: 1

Study on Cross Site Scripting Attack

  • Author:
  • Jasvinder Singh
  • Total Page Count: 13
  • Page Number: 3 to 15

IITM, GGSIPU

Online published on 27 July, 2015.

Abstract

Web applications have become a dominant way to provide access to online services. Simultaneously, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript [18] code that is being embedded into web pages to support dynamic client-side behaviour. This script code is being executed in the context of the user's web browser. To protect the user's environment from malicious JavaScript[18] code, browsers have being using a sand-boxing mechanism that limits a script to access only resources associated with its origin site. Unfortunately, these security mechanisms do not suffice because a user can be lured into downloading malicious JavaScript [18] code from an intermediate, trusted site. In such a scenario, the malicious script is granted full access to all resources (e.g., authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) [26, 2, 8] attacks. The XSS [26, 2, 8] attacks are easy to be executed, but difficult to be detected and prevented. One reason is the high flexibility being exhibited by HTML encoding schemes, offering the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Also, devising a client-side solution is not easy because of the difficulty of identifying JavaScript [18] code as being malicious.

Keywords

XSS (Cross-site scripting), HTML (Hyper Text Markup Language), SQL (Structured Query Language), HTTP (Hyper Text Transfer Protocol), URL (Uniform Resource Locator)