It is common to use client side validations and front end scripting using JavaScript, VBScript and so on in web applications. Excessive use of these client side scripts increasing the possibilities of serious security vulnerabilities. The most severe threat among the software vulnerability attacks is Cross Site Scripting (XSS). Many of the recent reports on Web Application security reveals Cross Site Scripting (XSS) is one of the common and severe attack. OWASP 2017 has released Top 10 application security risks. In that report, Cros Site Scripting (XSS) is considered as 3rd position in the vulnerable attacks. Cross Site Scripting Attacks are quite easy to attack and difficult to detect and prevent.


Suman Saha (2009) described in his publication on Cross-Site Scripting, Web application expands its usages to provide more variety of services and it has become one of the most essential communication channels between service providers and the common users. To augment the user experience, many web applications are using client side scripting languages such as JavaScript, VBScript, and so on. Excessive usage of front-end scripting languages increases the chances of serious security vulnerabilities in web applications, such as cross-site scripting (XSS).

In his survey on Cross Site Scripting, Suman Saha depicted that all the techniques those have been used to detect XSS and arranged wide analyses to evaluate performances of those vulnerability detection methodologies.

S.Shalini, S.Usha (2011) described that in the rece days, Cross Site Scripting (XSS) Attacks become more popular security issue in the modern web applications. These Attacks make use of vulnerabilities in the application, resulting in serious consequences, such as theft of confidential information, cooki and other user credentials.

S.Shalini, S.Usha mentioned usually, Cross Site Scripting attacks occur when user accessing information in intermediate trusted sites. Front scripts act as a web proxy and protect against information leakage from the user environment. Cross Site Scripting (XSS) Attacks are easy to run and execute, but difficult to detect and prevent. In addition

to that, most of the client-side scripts degrade the performance of the application resulting in a poor web surfing experience.

As per Shashank Gupta and Laliten Sharma (2012) Cross Site Scripting attacks on web applications are growing rapidly due to new front-end scripting technologies and frameworks. Cross-Site Scripting (XSS) vulnerabilities are being exploited by the attackers to steal web browser’s resources such as cookies, passwords, and other credentials by injecting the malicious JavaScript code on the victim’s web applications.

P. Umasankari, E. Uma, & A. Kannan (2013) stated recent reports about web applications reveals that crosssite scripting (XSS) is one of the most common and severe web security defects. It is a type of code injection vulnerability that enables attackers to send venomous scripts to the web clients. It occurs when the web application references the user input in its HTML pages without properly validating the web pages.


Suman Saha, described three distinct types of XSS attacks: non-persistent, persistent, and DOM-based. He explained that non-persistent cross-site scripting vulnerability is the most common type. The attack code is not persistently stored, but, instead, it is immediately reflected to the user.

In his publication Suman Saha, wrote that nonpersistent cross-site scripting vulnerabilities can be exploited, for example, by sending to the victim an email with a special crafted link pointing to the search form and containing a malicious JavaScript code. By tricking the victim into clicking this link, the search form is submitted with the JavaScript code as a query string and the attack script is immediately sent back to the victim, as part of the web page with the result.

He explained Persistent type stores malicious code persistently in a resource (in a database, file system, or other location) managed by the server and later displayed to users without being encoded using HTML entities.

He mentioned regarding DOM-based cross-site scripting attacks are performed by modifying the DOM “environment” in the client side instead of sending any malicious code to server. So, the server doesn’t get any scope to verify the payload.
According to S.SHALINI, S.USHA, Cross-site

scripting or XSS is a web security vulnerability where the attacker injects malicious client side script into the web page. When user visits the web page, the script automatically downloads and run by the web browser. Due to application developers not having awareness or knowledge of security vulnerabilities, XSS become most popular attack. It results poorly developed code riddles with security flaws. JavaScript provide full access to HTML pages using Document Object Model (DOM). Hence, the script can modify the current document exists in arbitrarily. Even it is possible to delete the document and create a new document to send false message to the users.

Shashank Gupta &Lalitsen Sharma narrated, Cross-Site Scripting (XSS) attack is a common vulnerability which is being exploited in web applications through the injection of HTML tags and malicious Java Scripts. A weak input validation on the web application causes the stealing of cookies from the victim’s web browser. Attacker hijack the victim’s session by stealing the important cookies from the victim’s browser.

As Shashank Gupta &Lalitsen Sharma wrote, generally for static detection of XSS, source code analysis will be performed. However, for dynamic testing of XSS, known attacks are executed against the web applications. Researchers have proposed various detection techniques to discover the XSS attacks. Various tools are available to detect the XSS vulnerabilities. To detect XSS vulnerable code in PHP code can be performed by Pixy tool. Many prototype tools have been developed. based on the Pixy tool in the industry.

In their journal, P. Umasankari et al. said, an attacker may inject the malicious scripts via script inputs in the web application’s HTML pages. When a client visits the tapped web page, the client’s browser not being aware of the presence of malicious scripts shall execute all scripts sent by application resulting in a successful XSS attack. XSS attacks may be the reason for severe security violations.


In their study, S.SHALINI, S.USHA, they stated a malicious Web site can employ JavaScript to make the changes to the local system and copy or delete the files.
Shashank Gupta and Laliten Sharma, stated that the existing techniques like filtering of tags and special characters, maintaining a list of vulnerable sites etc. cannot eliminate the XSS vulnerabilities completely.

0/5 (0 Reviews)


Please enter your comment!
Please enter your name here