Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art

  • Shashank Gupta
  • B. B. Gupta


Nowadays, web applications are becoming one of the standard platforms for representing data and service releases over the World Wide Web. Since web applications are progressively more utilized for security-critical services, therefore they have turned out to be a well-liked and precious target for the web-related vulnerabilities. Even though several defensive mechanisms have been building up to reinforce the modern web applications and alleviate the attacks instigated against them. We have analyzed the major concerns for web applications and Internet-based services which are persistent in several web applications of diverse organizations like banking, health care, financial service, retail and so on by the referring the Website Security Statistics Report of White Hat Security. In this paper, we highlight some of the serious vulnerabilities found in the modern web applications and revealed various serious vulnerabilities. Cross-Site Scripting (XSS) attack is the top most vulnerability found in the today’s web applications which to be a plague for the modern web applications. XSS attacks permit an attacker to execute the malicious scripts on the victim’s web browser resulting in various side-effects such as data compromise, stealing of cookies, passwords, credit card numbers etc. We have also discussed a high level of taxonomy of XSS attacks and detailed incidences of these attacks on web applications. A detailed comprehensive analysis of the exploitation, detection and prevention mechanisms of XSS attacks has also been discussed. Based on explored strength and flaws of these mechanisms, we have discussed some further work.


Cross-Site Scripting (XSS) White Hat Security Internet World Wide Web (WWW) JavaScript code injection attacks Malicious JavaScript 


  1. A Firefox PDF plug-in XSS vulnerability.
  2. Athanasopoulos E, Krithinakis A, Markatos EP (2010) Hunting cross-site scripting attacks in the network. In: W2SP 2010: web 2.0 security and privacy workshopGoogle Scholar
  3. Avancini A, Ceccato M (2011) Security testing of web applications: a search-based approach for cross-site scripting vulnerabilities. In: 2011 IEEE 11th international working conference on source code analysis and manipulation, pp 85–94Google Scholar
  4. Bisht P, Venkatakrishnan VN (2008) XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Conference on detection of intrusions and malware & vulnerability assessmentGoogle Scholar
  5. Cao Y, Yegneswaran V, Possas P, Chen Y (2012) Pathcutter: severing the self-propagation path of XSS JavaScript worms in social web networks. In: Proceedings of the 19th network and distributed system security symposium (NDSS), San Diego, CA, USAGoogle Scholar
  6. Choi JH, Choi C, Ko BK, Kim PK (2012) Detection of cross site scripting attack in wireless networks using n-Gram and SVM. Mob Inf Syst 8(3):275–286Google Scholar
  7. Code-Red: a case study on the spread and victims of an Internet worm.
  8. Cross-site scripting worm hits MySpace. BetaNews, 13 Oct 2005.
  9. Flanagan D (2001) JavaScript: the definitive guide, 4th edn. O’Reilly, SebastopolzbMATHGoogle Scholar
  10. Frenz C, Yoon J (2012) XSSmon: a perl based IDS for the detection of potential XSS attacks. In: Systems, applications and technology conference (LISAT), Proceedings of 2012 IEEE Long Island, pp 1–4, May 2012Google Scholar
  11. Frenz CM, Yoon JP (2012) XSSmon: a perl based IDS for the detection of potential XSS attacks. In: 2012 IEEE Long Island systems, application and technology conference (LISAT), pp 1–4Google Scholar
  12. Gundy MV, Chen H (2012) Noncespaces: using randomization to defeat cross-site scripting attacks. Comput Secur 31(4):612–628CrossRefGoogle Scholar
  13. Gupta S, Sharma L (2012) Exploitation of cross-site scripting (XSS) vulnerability on real world web applications and its defense. Int J Comput Appl 60:28–33Google Scholar
  14. Gupta S, Gupta BB (2014) BDS: browser dependent XSS sanitizer. Book on cloud-based databases with biometric applications. IGI-Global’s advances in information security, privacy, and ethics (AISPE) series. IGI-Global, Hershey, pp 174–191Google Scholar
  15. Gupta S, Gupta BB (2015) PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM international conference on computing frontiers (CF’15), Ischia, ItalyGoogle Scholar
  16. Gupta S, Sharma L et al (2012) Prevention of cross-site scripting vulnerabilities using dynamic hash generation technique on the server side. Int J Adv Comput Res 2(5):49–54Google Scholar
  17. Jim T, Swamy N, Hicks M (2007) Defeating script injection attacks with browser-enforced embedded policies. In: WWW’07: proceedings of the 16th international conference on World Wide Web, pp 601–610Google Scholar
  18. Johns M (2006) SessionSafe: implementing XSS immune session handling. In: Proceedings of European symposium on research in computer securityGoogle Scholar
  19. Johns M, Engelmann B, Posegga J (2008) XSSDS: server- side detection of cross-site scripting attacks. In: Proceedings of the ACSAC, California, pp 335–344Google Scholar
  20. Kallin J, Valbuena IL. A comprehensive tutorial on cross-site scripting.
  21. Kals S, Kirda E, Kruegel C, Jovanovic J (2006) SecuBat: a web vulnerability scanner. In: 15th international World Wide Web conference (WWW), UK, May 2006Google Scholar
  22. Kirda E, Kruegel C, Vigna G, Jovanovic N (2006) Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC’06: proceedings of the 2006 ACM symposium on applied computing, pp 330–337Google Scholar
  23. Klein A (2005) DOM based cross site scripting or XSS of the third kind. Technical report, Web application security consortiumGoogle Scholar
  24. Louw MT, Venkatakrishnan V (2009) Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the IEEE symposium on security and privacyGoogle Scholar
  25. MacDonald M, Szpuszta M (2005) Pro ASP.NET 2.0 in C# 2005, 1st edn. Apress, New York. ISBN 1-59059-496-7Google Scholar
  26. Martin M, Lam MS (2008) Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the USENIX security symposium (USENIX)Google Scholar
  27. Meyerovich L, Livshits B (2010) ConScript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: Proceedings of the IEEE symposium on security and privacyGoogle Scholar
  28. Nunan A, Souto E, dos Santos EM, Feitosa E (2012) Automatic classification of cross-site scripting in web pages using document based and URL based features. In: IEEE symposium on computers and communications (ISCC), pp 702–707Google Scholar
  29. Putthacharoen R, Bunyatnoparat P (2011) Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In: 13th international conference on advanced communication technology ICACT2011, pp 1090–1094Google Scholar
  30. Samy’s cancelled MySpace profile.
  31. Shahriar H, Zulkernine M (2009) MUTEC: mutation-based testing of cross site scripting. In: Proceedings of the 5th international ICSE workshop on software engineering for secure systems. IEEE CS Press, Vancouver, pp 47–53, May 2009Google Scholar
  32. Shaihriar H, Zulkernine M (2011a) S2XS2: a server side approach to automatically detect XSS attacks. In: Ninth international conference on dependable, automatic secure computing. IEEE, pp 7–17Google Scholar
  33. Shaihriar H, Zulkernine M (2011b) Injecting comments to detect JavaScript code injection attacks. In: Proceedings of the 6th IEEE workshop on security, trust, and privacy for software applications, Munich, Germany, pp 104–109Google Scholar
  34. Shar LK, Tan HBK (2012) Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: IEEE/ACM international conference on automated software engineering, pp 310–313Google Scholar
  35. Sharath Chandra V, Selvakumar S (2011) Bixsan: browser independent XSS sanitizer for prevention of XSS attacks. ACM SIGSOFT Softw Eng Notes 36(5):1CrossRefGoogle Scholar
  36. SQL Slammer (computer worm).
  37. Technical explanation of the MySpace worm.
  38. The spread of the Sapphire/Slammer worm.
  39. Tiwari S, Bansal R, Bansal D (2008) Optimized client side solution for cross site scripting. In: 2008 16th IEEE international conference on networks, pp 1–4Google Scholar
  40. Van-Acker S, Nikiforakis N, Desmet L, Joosen W, Piessens F (2012) FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: ASIACCS’12: proceedings of the 7th ACM symposium on information, computer and communications security, pp 12–13Google Scholar
  41. Vogt P, Nentwich F, Jovanovic N, Kirda E, Kruegel C, Vigna G (2007) Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the network and distributed system security symposium (NDSS), San Diego, CA, February 2007Google Scholar
  42. Wang S, Chang Y, Chiang W, Juang W (2007) Investigations in cross-site script on web-systems gathering digital evidence against cyber-intrusions. In: Future generation communication and networking (FGCN 2007), vol 2, pp 125–129Google Scholar
  43. Wang Y, Li Z, Guo T (2011) Program slicing stored XSS bugs in web application. In: 2011 fifth international conference on theoretical aspects of software engineering, pp 191–194Google Scholar
  44. Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: ICSE’08: proceedings of the 30th international conference on software engineering, pp 171–180Google Scholar
  45. Weinberger J, Saxena P, Akhawe D, Finifter M, Shin R, Song D (2011) A systematic analysis of XSS sanitization in web application frameworks. In: Proceedings of the European symposium on research in computer security (ESORICS), Leuven, BelgiumGoogle Scholar
  46. WhiteHat (2013) WhiteHat website security statistic report 2013.
  47. Wurzinger P, Platzer C, Ludl C, Kirda E, Kruegel C (2009) SWAP: mitigating XSS attacks using a reverse proxy. In: ICSE workshop on software engineering for secure systems. IEEE Computer SocietyGoogle Scholar
  48. XSS Worm on Renren Social Network (2009).
  49. Zhang Z, Wang Z (2010) A static analysis tool for detecting web application injection vulnerabilities for ASP program. In: 2nd international conference on e-business and information security (EBISS), pp 1–5Google Scholar
  50. Zhang Q, Chen H, Sun J (2010) An execution-flow based method for detecting cross-site scripting attacks. In: 2nd international conference on software engineering and data mining (SEDM), pp 160–165. IEEEGoogle Scholar
  51. Zhenyu Q, Jing X, Baoguo L, Fang T (2007) MBDS: model-based detection system for cross site scripting. In: IET conference on wireless, mobile and sensor networks, pp 849–852Google Scholar

Copyright information

© The Society for Reliability Engineering, Quality and Operations Management (SREQOM), India and The Division of Operation and Maintenance, Lulea University of Technology, Sweden 2015

Authors and Affiliations

  1. 1.National Institute of Technology KurukshetraKurukshetraIndia

Personalised recommendations