This document discusses cross-site scripting (XSS) attacks against mobile applications. It defines XSS as a type of injection where malicious scripts are injected into trusted websites. The document describes three types of XSS attacks - reflected XSS, stored XSS, and DOM-based XSS. It provides examples of each type of attack and how attackers are able to execute scripts on a victim's machine by injecting code. The document concludes with recommendations for preventing XSS attacks, including validating all input data, encoding all output data, and setting the proper character encoding.
5. Cross Site Scripting (XSS)
Type of injection.
Malicious script injected on trusted or weak web
servers.
Attacker Uses Web Application to sent
malicious code.
Mostly uses client side application.
Example: HTML, JavaScript, VBScript, ActiveX,
Flash etc.
6. Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks occur when:
Data enters a Web application through an untrusted
source, most frequently a web request.
The data is included in dynamic content that is sent
to a web user without being validated for malicious
content.
7. XSS Example
Example of malicious code
Modification of the Document Object Model - DOM
(change some links, add some buttons)
Send personal information to thirds (javascript can
send cookies to other sites)
8. Cross Site Scripting (XSS)
Attacker Executes Script on the Victim’s
machine
Is usually Javascript
Can be any script language supported by the
victim’s browser
9. Types of XSS
Three types of Cross Site Scripting
Reflected
Stored
DOM injection
11. Reflected XSS Attacks
Reflected XSS are the most frequent type of
XSS attacks found in the wild.
Reflected attack is like phishing attack.
Attacker sends the malicious code via website
url.
Reflected attacks delivered to victim via email,
website url or by other medium.
An attacker convinces a victim to visit a URL.
After the site reflects the attacker's content back
to the victim, the content is executed by the
victim's browser.
12. Reflected XSS Attacks
Injected script is reflected off the web server.
such as in an error message
search result
or any other response
that includes some or all of the input sent to the
server as part of the request.
13. Reflected XSS Attacks Example
article.php?title=<meta%20http-
equiv="refresh"%20content="0;">
This makes a refresh request roughly about
every .3 seconds to particular page. It then acts
like an infinite loop of refresh requests,
potentially bringing down the web and database
server by flooding it with requests. The more
browser sessions that are open, the more
intense the attack becomes.
15. Stored XSS Attacks
Stored attacks are those where the injected
script is permanently stored on the target
servers.
such as in a database
in a message forum
visitor log
comment field
etc.
The victim then retrieves the malicious script
from the server when it requests the stored
information.
16. Stored XSS Attacks
Risk when large number of users can see
unfiltered content
Very dangerous for Content Management Systems
(CMS)
Blogs
Forums
17. Stored XSS Attacks
Stored XSS Attacks of cross-site scripting
vulnerability has the largest impact of all when
compared to other XSS variants because:
It will affect every visitor of the targeted web
application
Unless detected and manually removed, the
malicious code will remain active on the website,
thus having a very long term effect
Web browser’s XSS protection mechanisms do not
detect and stop persistent XSS
19. DOM Based XSS Attacks
XSS Modifies the Document Object Model
(DOM)
Javascript can manipulate all the document
It can create new nodes
Remove existing nodes
Change the content of some nodes
JavaScript is manipulated directly inside the
client
Using misconfiguration of client side code
Using flows in frameworks (AngularJS, JQuery, . . .
)
20. Example DOM Based XSS
Suppose the following code is used to create a
form to let the user choose his/her preferred
language. A default language is also provided in
the query string, as the parameter “default”.
Code
<select><script>
document.write("<OPTION
value=1>"+document.location.href.substring(do
cument.location.href.indexOf("default=")+8)+"</
OPTION>");
document.write("<OPTION
value=2>English</OPTION>");
21. Example (Cont.)
A DOM Based XSS attack against this page can
be accomplished by sending the following URL to
a victim:
http://www.some.site/page.html?default=<script
>alert(document.cookie)</script>
When the victim clicks on this link, the browser
sends a request for:
/page.html?default=<script>alert(document.coo
kie)</script>
to www.some.site. The server responds with the
page containing the above Javascript code. The
browser creates a DOM object for the page, in
23. Prevention (XSS Attack)
By validating of all incoming data or input data.
Appropriate encoding of all output data can
prevent this attack.
24. Input Validation
Use Standard input validation mechanism
Validate length, type, syntax and appropriate rules
Use the “Accept known good” validation
Reject invalid input
Do not forget that error messages might also
include invalid data
25. Output Validation
Ensure that all user-supplied data is
appropriately entity encoded before rendering
HTML or XML depending on output mechanism
means <script> is encoded <script>
Set the character encoding for each page you
output
specify the character encoding (e.g. ISO 8859-1 or
UTF 8)
Do not allow attacker to choose this for your users
26. Reference
OWASP Top 10 Mobile Risks by OWASP
https://en.wikipedia.org/wiki/Cross-site_scripting
- by wikipedia
https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS) – by OWASP
https://www.owasp.org/index.php/XSS_(Cross_
Site_Scripting)_Prevention_Cheat_Sheet by
OWASP
https://www.owasp.org/index.php/Types_of_Cro
ss-Site_Scripting – Types of Cross Site
Scripting by OWASP
http://www.acunetix.com/websitesecurity/cross-
