XSS Proof of Concept Implementation, Analysis and Countermeasures

Abstract

Owing to the fact that Internet forms an integral part of human lives, and that it carries a huge amount of confidential and sensitive data every second, security is a key concern in communication. Communication is all about two or more end devices communicating over a channel. Thus, securing servers, clients and the channel through which they communicate is of utmost importance. Cross-site scripting attacks pose threats to a large number of web applications where both server and client security must be dealt with, for ensuring a secure environment. XSS attacks can be used to embed malicious scripts in web application and web sites. Whenever the user visits any of such website or application in their browser, the client system becomes victim of XSS attack because the unaware client is responsible for triggering the action on behalf of attacker. The most common way to take advantage of XSS is through the use of social engineering techniques to lure users into performing actions that execute malicious scripts. In thesis work, an approach of cookie stealing and shell exploitation has been implemented to demonstrate proof of concept of XSS scripts on client machine. Clients become victim of these attacks so easily because they are not aware of vulnerability that is caused due to scripting content execution. Therefore it is necessary to let people know about the variety of harms caused by XSS scripts. So as to show the hazardous effects caused with the execution of XSS scripts, this work illustrates two different attacks that have been launched using XSS, one of them being potential leakage to cookie information and other one giving away a client shell to the attacker. Main purpose of this work is to make users aware about the consequences of XSS attacks.