Browse > Article
http://dx.doi.org/10.14400/JDC.2015.13.2.177

Attacks and Defenses for Vulnerability of Cross Site Scripting  

Choi, Eun-Jung (Dept. of Information Security, Seoul Women's University)
Jung, Whi-Chan (School of Paul Math International School)
Kim, Seung-Yeop (School of Paul Math International School)
Publication Information
Journal of Digital Convergence / v.13, no.2, 2015 , pp. 177-183 More about this Journal
Abstract
Cross Site Scripting enables hackers to steal other user's information (such as cookie, session etc.) or to do abnormal functions automatically using vulnerability of web application. This attack patterns of Cross Site Scripting(XSS) can be divided into two types. One is Reflect XSS which can be executed in one request for HTTP and its reply, and the other is Stored XSS which attacks those many victim users whoever access to the page which accepted the payload transmitted. To correspond to these XSS attacks, some measures have been suggested. They are data validation for user input, output validation during HTML encoding procedures, and removal of possible risk injection point to prevent from trying to insert malicious code into web application. In this paper, the methods and procedures for these two types are explained and a penetration testing is done. With these suggestions, the attack by XSS could be understood and prepared by its countermeasures.
Keywords
XSS; Cross Site Scripting; Hacking; Injection; Security;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Ryan Barnett, "Full List of Incidents", Web Application Security Consortium. January 8, 2013.
2 Brodkin, "The top 10 reasons Web sites get hacked", Network World (IDG), October 4, 2007
3 Keun-Ho Lee, "Analysis of Threats Factor in IT Convergence Security", Journal of the Korea Convergence Society, , Vol. 1, No. 1, pp49-55, 2010
4 Bo-Kyung Lee, "A Study on Security of Virtualization in Cloud Computing Environment for Convergence Services", Journal of the Korea Convergence Society, Vol. 5, No. 4, pp93-99, 2014   과학기술학회마을   DOI
5 http://www.gartner.com/newsroom/id/2867917
6 https://www.owasp.org/index.php/About_OWASP
7 https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
8 Prateek Saxena, Dawn Song, and Yacin Nadji. "Document structure integrity: A robust basis for cross-site scripting defense.", In 16th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, February 2009.
9 N. Jovanovic, C. Kruegel, and E. Kirda., "Pixy: A static analysistool for detecting web application vulnerabilities (short paper)." In IEEE Symposium on Security and Privacy, 2006.
10 Robert Auger, "Cross Site Scripting", Web Application Security Consortium. February 1, 2011.
11 Symantec Corp, "Symantec Internet Security Threat Report: Trends for July-December 2007 (Executive Summary)" XIII. pp. 1-3. April 2008
12 P. Saxena, D. Akhawe, S. Hanna, S. McCamant, F. Mao, and D. Song. A symbolic execution framework for JavaScript. In IEEE Symposium on Security and Privacy, 2010.
13 Dafydd Stuttard, Marcus Pinto. The Web Applicaton Hacker's Handbook: Finding and Exploiting Security Flaws. Wade AIcorn. pp. 39-70, 431-497. 2011
14 Yunkee Seong, "Cross Site Scripting(XSS) attacks and the defenses", Internet & SecurityFocsus, KISA, 2013. 11.
15 SiChoon Noh, "tudy of Web Hacking Response Procedures Model based on Diagnosis Studies for Cross-Site Scripting (XSS)Process", Journal of Information and Security, vol 13, no 6, 2013. 12.