JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 70

Cross-site scripting attack in Social

Networking Environment
Fahim Mohammed, Prof. Deepak Singh Tomar, Dr. J.L. Rana

Abstract—Presently social network is an effective means of sharing end user information and views, as the availability of the
high network bandwidth and enough memory space the effective use of social network is possible for end user to share
information. Security and privacy are still vague. In recent years many social network sites have suffered from cross site
scripting attacks and phishing attacks, which were conducted by suspicious users through inserting a vulnerable script into web
form components. In this work the attack scenario in social network environment is implemented to demonstrate how an
attacker uses the vulnerability of poor written application code to degrade the server performance and phishing attack in the
social website. Challenges in handling cross side scripting attacks in web environment are also presented.

Index Terms—XSS, Social network, Malicious Code, Phishing, Privacy and Security.

————————————————————

1 INTRODUCTION

A web application is accessed over a wide network.

These offer services like mail services, online shop-
ping, web portals, social networking services, etc.
Social Networking sites can be accessed anywhere and
anytime, whether you are in the India or anywhere else,
you can develop an online friendship with someone in
Nepal, Bangladesh or anywhere else. A social network
service focuses on building social relations among people.
Social networking sites allow users to share ideas, activi-
ties, events, and interests within their individual net-
works. The most commonly world wide used social net-
working sites are Facebook, Twitter, MySpace, Orkut,
Hi5, FriendFinder, Yahoo! 360 etc. These Social Network-
ing sites offer attackers various ways to conduct a poten-
tial attack. These Attackers inspect the architecture of the
Web Application to understand its design, identify any
potentially imperfect aspects, and use these weaknesses
to break or exploit the application. There are risks asso-
ciated with social networking including data theft and
privacy leakage.
Cross-site scripting (XSS) is a type of code injection
usually found in web application that enables malicious
attackers to inject client-side script into web pages viewed
by other users. Countless social networking sites allow
users to post comments and messages in plaintext,
HTML, or active content (like JavaScript, Flash). These
comments and messages may contain malicious code;
social networking sites consent users to share a variety of
multimedia content, like images, video clips and docu-
————————————————
 Fahim Mohammed is with the Department of Computer Science and Engi- work sites persuade users to share information. Once in-
neering, Maulana Azad National Institute of Technology, Bhopal, India
462051.
 Deepak Singh Tomar is with the Department of Computer Science and
Engineering, Maulana Azad National Institute of Technology, Bhopal, In- Social network site has powerful privacy settings. Privacy
dia 462051.
 Dr. J.L. Rana is with the Department of Computer Science and Engineer-
ing, Maulana Azad National Institute of Technology, Bhopal, India
462051.
ments. This advanced content with the possibility to con-
tain malicious code, may cause the user’s browser to per-
form other unintended actions. A user’s web browser
could be forced to perform a variety of unintended ac-
tions such as surfing to a malicious website etc. An ex-
ploited cross-site scripting vulnerability can be used by
attackers to bypass access controls such as the same origin
policy. Cross-site scripting holes are web application vul-
nerabilities that permit attackers to get around client-side
security mechanisms, in general forced on web content by
new browsers. Through finding ways of injecting mali-
cious scripts into web pages, an attacker can gain access
of sensitive page content, session cookies, and a variety of
other information maintained by the browser on behalf of
the user. Cross-site scripting attacks are therefore a spe-
cial case of code injection [2] [3].
In this paper on Section 2 the Security Challenges for so-
cial network are discussed. Section 3 presents the various
categories of XSS and Section 4 describes the XSS attacks
scenarios.
2 SECURITY CHALLENGES FOR SOCIAL NETWORK
In social networks people share private information viz.
date of birth, email address, home address, photos, family
relations etc. Some information may not be important.
This information about a person can be used by the at-
tacker to perform frauds like credit card fraud or identity
theft. The Attacker can make real life targeted attacks and
have additional information about the intended victim
through the effective use of this information. Social net-
formation is posted or uploaded onto a Social network
site, it should no longer be considered private. Even if the
is completely dependent on the protection of the web ap-
plication. Some attackers may also aggregate information
from multiple sites to gain access to private information
(e.g., online banking records, email). For example, per-
sonal information posted to social networking sites could
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
be used to compromise security credentials (e.g., pass-
word, pin, security questions) for that site or other sites,
giving an attacker access to private information.
3 CROSS-SITE SCRIPTING (XSS) CATEGORY
3.1 Persistent (or stored) XSS vulnerability
Stored Cross Site Scripting (XSS) is the most dangerous
type of Cross Site Scripting. Malicious script can be stored
/ persisted in a database and shall not execute until re-
trieved by a user. It occurs when the data provided by the
attacker is saved by the server. This stored attack can sit
inactive for any period of time until a user decides to
view the page where the injected script is present. At this
point the script shall execute on the user’s browser, with
the privileges of the user’s session in the browser. Persis-
tent XSS can be more significant than other types because
an attacker's malicious script is submitted automatically.
The methods of injection can vary a great deal; in some
cases, the attacker may not even need to directly interact
with the web functionality itself to exploit such a hole.
3.2 Non-persistent (or reflected) XSS vulnerability
The non-persistent (or reflected) cross-site scripting vul-
nerability is certainly the most general type. These loop
holes are activated when the data is provided by a web
client, most commonly in HTTP query parameters or in
HTML form submissions, is used instantly by server-side
scripts to make a page of results for that user, without
appropriately sanitizing the response. Because HTML
documents have a smooth, serial structure that mixes con-
trol statements, formatting, and the genuine content, any
non-validated user-supplied data included in the result-
ing page without proper HTML encoding, may go ahead
to markup injection. A classic example is a site search
engine: if one searches for a string, the search string will
typically be redisplayed accurately on the result page to
indicate what was searched for. If this response does not
properly escape or reject HTML control characters, a
cross-site scripting fault will result.
3.3 Traditional versus DOM-based vulnerabilities
Initially cross-site scripting vulnerabilities took place in
server-side code responsible to prepare the HTML re-
sponse to be offered to the user. With the beginning of
Web 2.0 applications a new class of XSS defect has came
into view, DOM-based vulnerabilities. DOM-based vul-
nerabilities take place in the content processing stages
executed by the client, usually in client-side JavaScript.
The name concerns to the standard model for
representing HTML or XML contents which is called the
Document Object Model (DOM). JavaScript programs
© 2010 Journal of Computing
http://sites.google.com/site/journalofcomputing/
71
manipulate the state of a web page and fill it with dynam-
ically-computed data.
4 XSS THROUGH HTTP HEADER
4.1 HTTP Header Injection
Headers are mostly hidden from the users. HTTP header
injection is a common class of web application security
vulnerability which takes place when Hypertext Transfer
Protocol (HTTP) headers, when they are dynamically
generated based on user input. Header injection in HTTP
responses allows HTTP response splitting and cross-site
scripting (XSS) attacks. It allows attackers to split a HTTP
response into multiple ones by injecting malicious re-
sponse HTTP headers. This attack can spoil web sites [4].
4.2 HTTP Response Splitting
HTTP response splitting is done on variety of web appli-
cations, HTTP response splitting takes place when data
goes to a web application through an untrusted source,
most commonly an HTTP request and the data is inte-
grated in an HTTP response header sent back to a user
without being validated for malicious characters. HTTP
response splitting is a means to an attacker to bypass ma-
licious data to a vulnerable application; this data is ac-
cepted by the application in the HTTP response header.
This type of attack can be more vulnerable if the applica-
tion permits input that contains carriage return or \r and
line feed or \n characters into the header. These charac-
ters give the attacker control of the remaining headers.
Therefore, the failure to remove \r and \n allows the at-
tacker to set random headers, get control of the body, or
split the response into two or more separate responses [5].
5 SCENARIO FOR CROSS SIDE SCRIPTING
ATTACKS
5.1 Case – 01 – Invade a Web Server performance
through XSS injection
XSS provides the opportunity by which attacker ex-
ploits a vulnerable page by inserting his own script in the
page. XSS may be used to degrade the performance of the
web server.
For example, the attacker injects a piece of code which
creates numerous directories into a vulnerable web page.
Whenever user accesses this vulnerable page the mali-
cious code runs automatically, creating numerous direc-
tories on the server. Thus the performance of the web
server degrades.
JOURNAAL OF COMPUTING G, VOLUME 2, ISS
SUE 7, JULY 2010,, ISSN 2151-9617
HTTPS:///SITES.GOOGLE.C
COM/SITE/JOURN NALOFCOMPUTING/
WWW.JOOURNALOFCOMP PUTING.ORG 72
Communications purportiing to be from m popular so ocial
web sites, auuction sites, onnline paymentt processors or IT
administratorrs are common nly used to lu
ure the unsusp pect-
ing public. Phishing is typ pically carried out by e-maiil or
instant messaaging,[1] and it often direccts users to en nter
details at a faake website whose
w look an
nd feel are alm most
identical to the
t legitimate one. Even when w using serrver
authentication, it may requ uire tremendo ous skill to deetect
that the webssite is fake. Ph hishing is an example
e of so
ocial
engineering techniques
t useed to fool userrs,[2] and explloits
the poor usab bility of curren
nt web security y technologiess.[3]
Attempts to deal with thee growing num mber of reporrted
phishing inciidents include legislation, user training, pub-
p
Fig. 1.
1 Example of We
eb Environment.
lic awarenesss, and techniccal security measures.Phish
m hing
is the practicce of using fallse Web sites tot lure users into
i
Expplanation: - In the Fig. 1 we explain a smaall example providing seensitive perso onal informaation. This page p
of web b environmentt, there are thrree key playerrs viz. web transmits the personal information of theese users to haack-
server,, attacker and user. Consideer a portal thaat provides ers who could d then use thee information to gain accesss to
a faciliity of online fo
orum which iss hosted on a web
w server. Social Networrking accountts and thus steeal more perso onal
First, aattacker posts malicious codde into forum m’s website, information.
than a user comes and requests to see curren ntly posted
contennts on the foru um. Web serveer responds to o user’s re-
quest.
Attaacker enforcess malicious co ode (which is present in
6.1.1) iin to the forumm of vulnerablle web site to create infi-
nite nu umber of direectories and su ub directoriess. This will
cause tthe overburdeen on web serrver and also causec was-
tage off memory spacce.

5.1.1 Malicious code which degrades we

eb server
pe
erformance

Fig. 2. A Ph
hishing Mail Exam
mple.

In Fig. 2 an
n example of a Phishing Maail is shown. This
T
Mail Contains a Malicious Link. Wheneever user click k on

5.2 Ca
ase- 02 - Phis
shing throug
gh XSS vulne
erability Fig. 3. A Fakke Online Banking page.
Phishin
ng is the crim
minally fraudu
ulent process of
o attempt-
ing to acquire sensiitive informattion such as usernames,
u
k it opens a new
the given link n webpage which looks like
passwoords and creddit card detaills by masquerrading as a
the page showwn in Fig. 3
trustw
worthy entity in an elecctronic comm munication.
As shown in Fig. 3, the page is user is
i forwarded to a
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
page which looks like the original banking website. This
page contains a submit button and asks for entries which
will never be asked by the original banking website.
When user clicks on submit button a stored jsp page will
executed it will write all the information into a text file. In
future the attacker can use this text file’s information.
JSP code to write user’s information into a file for fu-
ture use
<%
String uname = request.getParameter("uname");
String acc = request.getParameter("accnum");
String pass = request.getParameter("pass");
String tpass = request.getParameter("tpass");
String bname = request.getParameter("bname");
String str = "Username: " + uname + ": AccountNum: " +
acc+ ": Password: " + pass+ ": T Password: " + tpass+ ":
BranchName: " + bname;
String nameOfFile = "impData.txt";
try {
PrintWriter pw = new PrintWriter(new FileOutput-
Stream(nameOfFile));
pw.println(str);
pw.close();
} catch(IOException e) { out.println(e.getMessage());}
%>
6 APPROACHES AGAINST CROSS SIDE SCRIPTING
ATTACKS
This paper is concerned how the social networking sites
are protected by attacker for protecting the end user.
6.1 Network separation
Web sites can be categorized into various different types,
viz. trusted global brands, small businesses, personal sites
and social networking. Each web site has a different level of
security. Though the sites of large organizations who have
dedicated teams for web security are not immune to attack,
the probability of them becoming compromised is far lower
than that for smaller organizations who may outsource their
web development. Implementing a security policy that ac-
knowledges such distinctions can help to mitigate risk at the
endpoint. A popular way to achieve this is to implement
separate networks, with differing browsing policies on each.
6.2 Client browsers
Client web browsers also play a major role in web appli-
cation attack. Internet Explorer, Mozilla Firefox, Google
Chrome are the most targeted web browsers, As other
browsers have gained in popularity, so the hackers have
started using exploits that target them. The appropriate
selection of browser may be better influenced by security-
minded configuration options or plug in that may be
available. A popular plug-in for Mozilla-based browsers
is NoScript, which provides control over Java and Java-
script execution. NoScript is a free and open-source ex-
tension for Mozilla Firefox, SeaMonkey, Flock and
otherMozilla-based web browsers. NoScript allows Java-
Script, Java, Flash, Silverlight, and other plugins and
73
scripted content to be selectively executed based on a
whitelist[1].
6.3 Content inspection
The most common form of content inspection as far as
web content goes is the use of some application that fil-
ters incoming HTTP traffic. The filter will typically in-
volve posted or passing content to an anti-script engine in
order to filter containing known malicious script. The
ability to filter potentially undesirable content based on
keyword blacklists. In this way there is a possibility to
reduce persistent or stored scripting injection attack.
By filtering content at the web gateway, anti-script fil-
ters are able to add a major layer of protection to social
network’s users. If anti-script filter detect suspicious con-
tent that posted content can be blocked or a warning gen-
erated for users. Advanced products will optimize the
detection capabilities for a web environment. One of the
challenges with web content filtering is performance. Un-
like social networking sites are interactive, so response
must be in short time, so there is a requirement upon web
application to avoid reaction time. These conflicts with
the increasing need to do expensive analysis of complex
obfuscated malicious scripts.
6.4 URL filtering
URL categorization is also used as a method to reduce or
protect from code injection attack. In this fashion, requests
from malicious URLs or known websites which are suspi-
cious can be blocked, despite of whether the content would
be identified or not. Clearly this is useful when we know
that hackers are dynamically using automation to continual-
ly change threats in order to evade revealing. The achieve-
ment of blocking requests to known suspicious websites
relies on maintaining a modern list of such websites. Several
factors say how effective such a list may be, including:
Pertinent data: - Gathering adequate information about
code injection which is available online in order to know
about new attacks as quickly as possible. Systems must up-
date day by day. Solutions may involve tools gather as much
data as possible about code injection available online.
URL filtering can also be used to provide control over the
types of sites which users can browse. Sites classified into
categories such as smut, gambling or entertainment may be
blocked within an organization. The accuracy of the classifi-
cation data governs how successful URL filtering may be.
For this reason, several products license data from 3rd party
companies in order to boost their URL classification abilities.
6.5 Endpoint protection
Security on the endpoint is indispensable regardless of
whether the user is connected on network or not. Anti-virus
products that is important in taking the most appropriate
solution. One of those features is the ability of the anti-virus
to provide pro-active detection – i.e. the detection of pre-
viously unknown code injection or malicious script. There
are several methods by which endpoint security product
may use to detection of known or unknown malicious code.
Signature based detection, Heuristic-based detection, File
emulation with help of these methods we can determine if
the code or script is malicious or not and then carry out the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 74
suitable actions. REFERENCES
6.6 Web server protection [1] “Wikipedia” [online] Available: http://www.en.wikipedia.org/wiki/
[Accessed: June. 15, 2010].
Web servers provide a portal to network, so they require a
[2] Modern web attacks, Fraser Howard, SophosLabs UK, August 2007.
more impressive and customized level of protection above
[3] “Cross Site Scripting” [online] Available:
and beyond what network firewalls or IDS can provide. At-
http://www.cgisecurity.com/xss-faq.html [Accessed: June. 13, 2010].
tacker could use to attack web servers in order to negotiation
[4] “HTTP Header Injection” [online] Available:
sites they host. Entry points include: weak user-
http://blogs.msdn.com/b/esiu/archive/2007/09/22/http-header-
name/password combinations, vulnerable web applications,
injection-vulnerabilities.aspx [Accessed: June. 10, 2010].
vulnerable operating system and vulnerable web server
[5] HTTP Response Splitting” [online] Available:
software, database, tools or libraries.
http://www.owasp.org/index.php/HTTP_Response_Splitting
Once a doorway point has been identified, the attacker
[Accessed: June. 10, 2010].
will likely attempt to install some form of remote shell on the
[6] “Approaches against XSS” [Online] Available:
machine. For example shell attack in which attacker upload
www.securecontenttechnologies.com [Accessed: May: 25, 2010].
file on web server to gain whole access of the server. The
functionality varies between shell scripts, most shell scripts
Fahim Mohammed M.Tech in Computer Science &
provide the ability to upload additional files and issue re- Engg., B.E. in Information Technology and research
mote commands. Several provide functionality specifically scholar of National Institute of Technology Bhopal.
designed for compromise attacks, for example the shell
script can execute windows commands.
Prof Deepak Singh Tomar M.Tech & B.E. in Computer
It is clear that a considerable number of web servers are
Science & Engg. and working as Assistant Professor
not use an access filter. Use of filtering tools can protect the Computer Science & Engg. Department. Total 14 Years
server itself (from various forms of attack or infection) and Teaching Experience (PG & UG). Guided 16 M.Tech
also inform the administrator when malicious script run. For Thesis.
smaller sites, simple steps such as running scripts to check
the files in the web root can also help to alert the administra- Dr. J.L. Rana Professor & retired, Ex. Head of Depart-
tor of a problem. ment of in Computer Science & Engg, MANIT, Bhopal.
PhD. IIT Mumbai M.S. USA (Huwaii). Guided 30
M.Tech. Thesis & Six Ph.D.
7 CONCLUSION
Handling the vulnerable code/script on the social
network is still major challenge for social network. In
this paper the attacks scenario are implemented to
demonstrate how XSS is enforced to degrade the serv-
er performance and conducting phishing attack. These
issues should be considered seriously by the web pro-
grammer involved in developing social networking
websites. Policy, network and coding based approach-
es are discussed to prevent these attacks. But the prac-
tically policy enforcement on the specific content using
platform for Privacy Preferences Project (P3P) are still
challenging. The code inspection technique to prevent
XSS attack is time consuming.
Future work will be forced on a wider experiment in-
volving large set of XSS case studies and integrating
the presented approaches to make the effective solu-
tion to prevent cross site scripting on the social net-
working environment.

ACKNOWLEDGMENT
The research presented in this paper would not have been
possible without our college, at MANIT, Bhopal. We wish
to express our gratitude to all the people who helped turn
the World-Wide Web into the useful and popular distri-
buted hypertext it is. We also wish to thank the anonym-
ous reviewers for their valuable suggestions
.