REVIEW FROM LITERATURE
In his survey on Cross Site Scripting, Suman Saha depicted that all the techniques those have been used to detect XSS and arranged wide analyses to evaluate performances of those vulnerability detection methodologies.
S.Shalini, S.Usha (2011) described that in the rece days, Cross Site Scripting (XSS) Attacks become more popular security issue in the modern web applications. These Attacks make use of vulnerabilities in the application, resulting in serious consequences, such as theft of confidential information, cooki and other user credentials.
S.Shalini, S.Usha mentioned usually, Cross Site Scripting attacks occur when user accessing information in intermediate trusted sites. Front scripts act as a web proxy and protect against information leakage from the user environment. Cross Site Scripting (XSS) Attacks are easy to run and execute, but difficult to detect and prevent. In addition
to that, most of the client-side scripts degrade the performance of the application resulting in a poor web surfing experience.
P. Umasankari, E. Uma, & A. Kannan (2013) stated recent reports about web applications reveals that crosssite scripting (XSS) is one of the most common and severe web security defects. It is a type of code injection vulnerability that enables attackers to send venomous scripts to the web clients. It occurs when the web application references the user input in its HTML pages without properly validating the web pages.
DETECTION OF XSS VULNERABILITIES
Suman Saha, described three distinct types of XSS attacks: non-persistent, persistent, and DOM-based. He explained that non-persistent cross-site scripting vulnerability is the most common type. The attack code is not persistently stored, but, instead, it is immediately reflected to the user.
He explained Persistent type stores malicious code persistently in a resource (in a database, file system, or other location) managed by the server and later displayed to users without being encoded using HTML entities.
He mentioned regarding DOM-based cross-site scripting attacks are performed by modifying the DOM “environment” in the client side instead of sending any malicious code to server. So, the server doesn’t get any scope to verify the payload.
According to S.SHALINI, S.USHA, Cross-site
Shashank Gupta &Lalitsen Sharma narrated, Cross-Site Scripting (XSS) attack is a common vulnerability which is being exploited in web applications through the injection of HTML tags and malicious Java Scripts. A weak input validation on the web application causes the stealing of cookies from the victim’s web browser. Attacker hijack the victim’s session by stealing the important cookies from the victim’s browser.
As Shashank Gupta &Lalitsen Sharma wrote, generally for static detection of XSS, source code analysis will be performed. However, for dynamic testing of XSS, known attacks are executed against the web applications. Researchers have proposed various detection techniques to discover the XSS attacks. Various tools are available to detect the XSS vulnerabilities. To detect XSS vulnerable code in PHP code can be performed by Pixy tool. Many prototype tools have been developed. based on the Pixy tool in the industry.
In their journal, P. Umasankari et al. said, an attacker may inject the malicious scripts via script inputs in the web application’s HTML pages. When a client visits the tapped web page, the client’s browser not being aware of the presence of malicious scripts shall execute all scripts sent by application resulting in a successful XSS attack. XSS attacks may be the reason for severe security violations.
PREVENTING XSS VULNERABILITIES
Shashank Gupta and Laliten Sharma, stated that the existing techniques like filtering of tags and special characters, maintaining a list of vulnerable sites etc. cannot eliminate the XSS vulnerabilities completely.