Wednesday, May 6, 2020
Procedure and Prevention Strategies â⬠Free Samples to Students
Question: Discuss about the Procedure and Prevention Strategies. Answer: Introduction Cross Site Scripting is an attack on the web applications due to the extreme popularity of the web applications and extreme utilization of Internet (Antipa Sanso, 2016). It refers to the injection attack on the client side code through which the attacker can inject a malicious code into the web application or a website. The paper provides a clear overview of the cross site scripting attack and its theoretical operation in the real world. It also illustrates the stages of the attack. Furthermore, the paper describes the outcomes of the real world incident of the cross site scripting attack. The article also brings to light the impact of the attack and clearly describes the consequences of the attack and identifies the security aim that was breached as a result of this attack. Finally, the paper also describes the specific actions performed by the vendor and organization so as to address the issue and provide counter measures to the specific vulnerability. The Cross Site Scripting attack is a type of computer vulnerability that typically exists in the web applications. It facilitates the attackers to inject malicious code in to the web pages in the client side such that the web pages could be viewed by other users. The reason behind the occurrence of the attack is the utilization of the invalid or decoded user input so as to generate the output (Guamn et al., 2016). In this type of attack the attackers does not directly affect or target the victim. The attacker indirectly imparts serious threats to the determined victim through exploiting the vulnerability within the web application or a website. The attacker uses the vulnerable website to transfer the malicious code to the target browser. The various stages of the Cross Site Scripting (XSS) attack include the following stages. The first stage includes the injection of the XSS vulnerabilities into the website or the web application. There are various proprietary tools that are available online that facilitate the injection of the vulnerabilities into the web applications (Goswami et al., 2017). The second stage incorporates the creation of XSS payload or a malicious script so as to exploit the vulnerability within the web application. Moreover, the advanced hackers also incorporates the malware with advanced bypassing mechanism such as HEX encoding which makes the malware much secured there by making it difficult to get detected and located (Gupta Gupta, 2017). The final stage deals with the implementation of various techniques such as different phishing techniques and social engineering concepts so as to facilitate the attackers to trick the users to click on the malicious links. Once, the victim clicks on the malici ous link the sequence of the attack initiates. It is practically impossible to obtain necessary information from a page or rather from a web browser with the help of just a script contained on the page that also includes a different host. The XSS attack makes this security breach feasible (Wang Zhang, 2016). The Cross Site Scripting facilitates the attackers to create a hole such as to allow the malware to bypass the security mechanisms that are implemented by the browsers to enable the security of the client visiting the web browser. The malicious codes are injected to bypass the input verification and successfully inject the infectious code. There are three types of XSS attack namely, DOM based or local XSS, Non persistent or reflected XSS and second order or persistent XSS. The DOM based XSS works with the browsers that are not intended to modify the URL characters and is incorporated with the social engineering techniques (Teto, Bearden Lo, 2017). The non persistent or the reflected XSS occur when the input data is immediately utilized by the web server to create a result page and the payload vector comprises of malicious uniform resource locator and links. The persistent XSS can be implemented with or without social engineering and the payload is stored on the server. CVE of the XSS attack The Common Vulnerabilities and exposure of the cross site scripting attack includes the injection of the malicious code into the website that can be viewable by the victims. The untrusted data can be entered into the web application. The web application is intended to generate a website that would include the untrusted data. Moreover, these applications do not restrict the untrusted data from being executed. The exposure of the attack affects almost all the companies leading to the stealing of the credentials and important personal informations of the users. The chosen incident for the XSS attack is the Cross site scripting attack on eBay Company. The main outcome of the attack was to steal the login credentials of the users and highjack the account of the legitimate user. Moreover, this attack also allowed the attackers to impersonate the actual user and access any sensitive information on the behalf of the victim (Jin et al., 2014). Furthermore, it allowed the attackers to redirect the users to the phishing page through malicious links. Once, the user would click on the link they would be directed to the user login page of eBay and lose the essential details. The XSS attacks the websites of the company. In addition to this, the company may face reputational damage including the loss of customer and stakeholder (Yusof Pathan, 2016). Moreover, this attack also led to the loss of customer trust and confidence. Moreover, the organization witnessed a great downfall leading to immense financial loss and also loss of customers as the company faced several issues in solving the queries of the customers. The website was also vulnerable to the phishing attacks where in the click on the links provided would lead to fake sites through which the user information was trapped. Moreover, it also led to the installation of malware into the users system. Security breach and the resultant consequences due to XSS attack The aim of the security measures is to prevent the essential information of the users from getting revealed to the attackers. The website of eBay stores personal informations such as personal files, bank account details, payment information and client information. The consequences of the XSS attack were the loss of consumer trust and confidence in the organization (Sulatycki Fernandez, 2015). Moreover it also led to the interruption in the business process and tremendous damage to the reputation of the organization. The XSS attack can be prevented by three procedures such as escaping the input data section so as to ensure that the application is secured for the user utilization (Mahmoud et al., 2017). Secondly, the validation of the input data also ensures that the application is rendering the correct and thereby preventing malicious data from entering into the system. Moreover, sanitizing the user input also prevents the XSS attacks. Conclusion The XSS attack occurs mainly due to the usage of unvalidated and direct utilization of the input. These attack aims at exploiting the security of the essential credentials of the individuals. These attacks facilitate the injection of malicious code into the web page thus leading to the exploitation of the credentials. These attacks lead to the immense loss in the reputation of the organization and also huge financial losses. In addition to these issues, the organizations also lose the trust and confidence of the customers to a great extent. Reference Antipa, D., Sanso, A. (2016).U.S. Patent Application No. 14/541,785. Goswami, S., Hoque, N., Bhattacharyya, D. K., Kalita, J. (2017). An Unsupervised Method for Detection of XSS Attack.IJ Network Security,19(5), 761-775. Guamn, D., Guamn, F., Jaramillo, D., Correa, R. (2016). Implementation of Techniques, Standards and Safety Recommendations to Prevent XSS and SQL Injection Attacks in Java EE RESTful Applications. InNew Advances in Information Systems and Technologies(pp. 691-706). Springer, Cham. Gupta, S., Gupta, B. B. (2017). Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art.International Journal of System Assurance Engineering and Management,8(1), 512-530. Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G. N. (2014, November). Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. InProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security(pp. 66-77). ACM. Mahmoud, S. K., Alfonse, M., Roushdy, M. I., Salem, A. B. M. (2017, December). A comparative analysis of Cross Site Scripting (XSS) detecting and defensive techniques. InIntelligent Computing and Information Systems (ICICIS), 2017 Eighth International Conference on(pp. 36-42). IEEE. Sulatycki, R., Fernandez, E. B. (2015, October). A threat pattern for the cross-site scripting (XSS) attack. InProceedings of the 22nd Conference on Pattern Languages of Programs(p. 16). The Hillside Group. Teto, J. K., Bearden, R., Lo, D. C. T. (2017, April). The Impact of Defensive Programming on I/O Cybersecurity Attacks. InProceedings of the SouthEast Conference(pp. 102-111). ACM. Wang, X., Zhang, W. (2016). Cross-site scripting attacks procedure and Prevention Strategies. InMATEC Web of Conferences(Vol. 61, p. 03001). EDP Sciences. Yusof, I., Pathan, A. S. K. (2016). Mitigating cross-site scripting attacks with a content security policy.Computer,49(3), 56-63.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.