Proc.
29th International Conference on Systems, Signals and Image Processing “IWSSIP 2022”, June 01 - 03, 2022, Sofia, Bulgaria
Practical analysis on the algorithm of the Cross-Site
Scripting Attacks
Blerton Abazi
Faculty of Computer Science and Engineering
2022 29th International Conference on Systems, Signals and Image Processing (IWSSIP) | 978-1-6654-9578-3/22/$31.00 ©2022 IEEE | DOI: 10.1109/IWSSIP55020.2022.9854491
University for Business and Technology UBT
Prishtina, Kosovo
blerton.abazi@ubt-uni.net
Abstract — With the change of information technology over
the years, it has become necessary to re-evaluate security risks,
various possible errors and responses to them. Well-informed
and uninformed internet users who click on the wrong links or
even use outdated versions of technologies are the most
common causes of various errors resulting in security
breaches. There is a growing need to educate users of these
technologies to prevent or avoid various errors that pose a high
risk of security breaches. Web applications suffer from various
security vulnerabilities that can be exploited by hackers to
cause harm in different ways. Private data are those which can
be directly endangered by these errors, which in one way or
another can cause us great personal and financial problems.
The various infectious scripts are invisible to the visitor, but
they determine the website behavior in response to certain
clicks sent by the user. In addition to the World Wide Web,
various online scripts are also used to automate processes on a
local computer. Each script represents a text containing
instructions to be executed by a program or script manager in
order to achieve the automated action which is desired. Cross
Site Scripting is the attack in which the attacker attempts to
create scripts in order to extract data from the victim and
utilizing this data for various purposes all to the detriment of
the victim. Cross Site Scripting Attack can even rewrite the
contents of an HTML page. In this paper we will focus on the
attack in question by displaying various details and examples,
as well as the attack submission algorithm.
Keywords — attacks, cybersecurity, cross site scripting, SQL
injection, DDOS attack
I. INTRODUCTION
With the development and widespread use of web-based
applications and web-based websites as well as many
different applications, attacks are also gaining momentum
and endangering millions of users. Therefore protection
against these attacks is needed to provide the most secure
environment for internet use [1]. It is estimated that there are
about 1.9 billion websites on the Internet [2]. Web
applications have become an essential component for
businesses as well. Using web applications, businesses can
develop and achieve their goals faster and more securely.
Most businesses, which are web or various applications,
are aware of a level of security threat posed by various
attacks, but many other businesses are unaware of the
unwanted emails or even many links, are the target of attacks
that result in major damage.
During 2019 cyber-attacks targeted about 75% of large
companies in Europe and North America. According to
Precise Security [3] studies about 40% of attacks are done
using Cross Site Scripting, which is also the most preferred
attack vector globally.
978-1-6654-9578-3/22/$31.00 ©2022 IEEE
Authorized licensed use limited to: KLE Technological University. Downloaded on March 30,2023 at 09:19:27 UTC from IEEE Xplore. Restrictions apply.
Edmond Hajrizi
Faculty of Computer Science and Engineering
University for Business and Technology UBT
Prishtina, Kosovo
ehajrizi@ubt-uni.net
One in a third applications are vulnerable due to the limit
of the attempts during the authentication process. Most of the
time, this lack is used from the hackers by boosting the login
information’s in order to gain access to the system. There are
several examples through which you can check that after 200
attempts with admin privileges the system could be accessed.
The process of the access restrictions overpass can lead
to illegal discovery, modification or disposal of data [4].
During the testing phase we have identified that some
unsecured authorization allowed user’s profile to be changes.
Positive Technologies [5] specialists discovered the
application administrator's username, replaced the email
address in the profile with one of their own, and then used
the standard password reset procedure to access the site with
administrator privileges.
II. PROBLEM STATEMENT
Although the number of vulnerabilities in web
applications is decreasing over time, it is still a topic that
always has room for discussion and further treatment, as the
more these applications are developed, the attackers are
developing their skills and finding new ways to put them at
risk. It is important to identify the causes of these risks and
find ways to reduce their number.
This paper is initially focused on describing the
vulnerabilities of web applications that enable attackers an
environment where they can carry out these attacks. We have
a detailed description of how these attacks are carried out,
what types they have, what damage they can cause and a
concrete example of how a multi-flaw application could be
the target of these attacks that would send up to stealing the
credentials of its users or even destroying it completely.
In the end, some rules will be given which, if applied
correctly, would result in the elimination of vulnerabilities,
and would avoid these attacks.
A. An approach to XSS / Cross site scripting
The concept of Cross Site Scripting relies on unsafe user
access being given directly to a website. If user inputs are
disinfected properly, scripting attacks on the page would be
impossible. There are many ways to ensure that user logins
cannot be avoided on your websites [6].
Although there are differences between these attacks,
they still have one basic thing in common: once an attacker
has injected code into a page on that website, these malicious
scripts are executed in the context of the website. i.e. these
scripts are treated like any other web site script: they have
access to sensitive user information and the hostname in the
URL will be that of the webpage.
1
 Injecting malicious scripts by hackers has often or almost
always resulted in the loss of critical data and information. A
website's damaged reputation after an attack is sometimes
irreversible. When implementing Cross Site Scripting code,
the objectives between Client-side and Server-side must also
be clearly distinguished.
All scripts can be executed on the client if they are coded
in JavaScript, since JavaScript is supported by all browsers
[8], [9]. Other scripting languages can be used only if they
are supported by the user's browser. Server-side code is code
that is executed on the server, often to provide dynamic
content to web pages in response to a user action. In the past,
almost all business logic that was executed on the server
including creating dynamic websites, interacting with
databases and authenticating identities. The problem with
storing all these processes on the server is that each request
has to pass every time from client to server and it can lead to
considerable delays.
Server-side scripts should not be coded in JavaScript, as
the server can support a number of different languages [10].
Figure 1 How an XSS attack can occur [11]
B. Types of CSS Attacks
According to the literature Cross Site Scripting attacks
are divided into three main types [12]:
• Persistent XSS
• Reflected XSS
• DOM-based XSS
1) Persistent XSS
Persistent XSS or stored attacks are those that are
permanently stored on the target servers, such as databases,
messages posted on forums, comment fields, etc. Whenever
the XSS-injected page is viewed, the malicious script is
executed in the victim's browser [8], [13] .
Compared to reflected XSS this type does more harm. If
this shortcoming manages to exploit the attackers, it will stay
safe and attack the users until the administrator deletes that
attack.
Authorized licensed use limited to: KLE Technological University. Downloaded on March 30,2023 at 09:19:27 UTC from IEEE Xplore. Restrictions apply.
Figure 2 Persistent XSS [9]
As you can see the Figure 2 visually shows the
development steps of a Persistent XSS attack.
a) Action on Objectives
On this phase, the attacker will proceed with the process
of reconnaissance to check for any possible vulnerability or
gap on websites which he might use to perform the attack.
Firstly, the attacker will initiate the visual check of the web
pages through the HTML inspect pages and then will
continue using specific tools to reach the objective. Some of
the main actions that the attacker can perform in the
beginning are as follow:
• Looking for the search box on the website and check
the search results
• Checking the log-in function and the results
displayed after the user is logged in
• Any information that might be displayed on the
header of the website, such as, such as browser type
and version
2) Reflected XSS
A typical example of page-reflected scripting is a search
form, where visitors submit their search query to the server
and only they see the result .
The reflected attacks may seem harmless because they
require the victim to submit a request with a malicious string.
In principle two methods exist to perform a self-reflected
attack:
• By sending an infected URL to a victim (through
email, link) and convince to visit that URL.
• By placing a malicious URL on the webpage or any
other social network platform and wait for potential
victims to click on it.
To make it more complex and confuse the victim, you
can use the shortening service for the link through which you
will hide the harmful string and the victim will not notice it.
This information contains malicious code which becomes
part of the webpage sent to the user's browser, where it is
also executed.
Figure 3 shows the steps for developing a Reflected XSS
attack.

Figure 3 Reflected XSS [9]
C. DOM-based XSS
DOM-based attacks occur by modifying the DOM
"environment" on the client side and not by sending
malicious code to the server [13]. DOM stands for Document
Object Model and it is a programming API for HTML and
XML documents which defines the document’s logical
structure and how we approach and manipulate that
document.
The DOM allows scripts to modify the HTML and XML
document, which means that these documents can be
modified by attacker scripts. So DOM-based attacks use the
shortcomings of the DOM to carry out these attacks. With
this type of attack malicious code is not injected into the
page. So the problem lies in the DOM which can be
controlled by the client on the website or application.
Attackers can therefore allow scripts to be executed in the
DOM environment to attack the victim website [14].
Figure 8 visually shows the steps for developing a DSS
based XSS attack.
Figure 4 DOM based XSS [14]
Figure 4 shows the steps for developing a DSS based
XSS attack.
A possible attack flow might look like this:
Hey user, check this out:
"http://website.com/search?keyword=<script>window.l
ocation='http://attacker.com/?cookie='+document.cookie<
/script>”
Authorized licensed use limited to: KLE Technological University. Downloaded on March 30,2023 at 09:19:27 UTC from IEEE Xplore. Restrictions apply.
The website does not perform a query string check and
generates a query string search page. The website returns an
answer without the search string in the HTML body:
<html>
<h1> You Searched for:</h1>
<div id ="searchquery"> </div>
<script>
var keyword = location.search.substring(3);
document.querySelector('searchquery').innerHTML =
keyword;
<script>
</html>
III. CONCLUSION AND FUTURE DIRECTIONS
In the paper we showed and argued the importance of
web applications in our daily lives. We can say that with
their development even our lifestyle in a form has changed.
But like any other good, this one brings its own
challenges. With the great development of web applications
came the attack on them, as well as the skills of attackers
who always find new ways to put them at risk.
As a motivation for analyzing Cross Site Scripting
attacks was shown to be the risk they can cause, their large
number and especially the mistakes made by application
developers that in a way provide attackers an environment
for the development of these attacks.
Throughout the paper were analyzed in detail the XSS
attacks and their types, as the story of how it came to the
opportunity to develop them [15]. It was also demonstrated
with concrete examples of how a flawed application becomes
the target of these attacks, which endanger each of its users.
Sometimes it is difficult to completely identify and
eliminate XSS vulnerabilities from a web application. The
best way to identify these vulnerabilities is to review the
code security, and search for all places where input from an
HTTP request can find a way to HTML output.
It is important to know that a different number of HTML
tags can be used to send malicious JavaScript code. When a
compromise or rather an XSS attack occurs, it is important
to change all the passwords and secrets of the application as
soon as the vulnerability is fixed. In order to prevent
reinfection, the personal data should be cleaned to ensure
that there are no fraudulent administrator users or backdoors
present in the database.
REFERENCES
[1] B. Abazi, “An approach to the impact of
transformation from the traditional use of ICT to the
Internet of Things: How smart solutions can
transform SMEs,” IFAC-PapersOnLine, vol. 49, no.
29, pp. 148–151, Jan. 2016.
[2] Internet Live Stats, “Total number of Websites.”
[Online]. Available:
https://www.internetlivestats.com/total-number-of-
websites/. [Accessed: 22-Mar-2022].
[3] “Web Applications vulnerabilities and threats:
attacks statistics for 2019.” [Online]. Available:
 https://www.ptsecurity.com/ww-en/analytics/web- [10] J. Clarke, “SQL Injection Attacks and Defense:
vulnerabilities-2020/. [Accessed: 07-Mar-2022]. Second Edition,” SQL Inject. Attacks Def. Second
[4] R. Wang, P. Liu, L. Zhao, Y. Cheng, and L. Wang, Ed., pp. 1–547, 2012.
“deExploit: Identifying misuses of input data to [11] Medium.com, “Reflected Cross Site Scripting (r-
diagnose memory-corruption exploits at the binary XSS) | by Christopher Makarem | IOCSCAN |
level,” J. Syst. Softw., vol. 124, pp. 153–168, Feb. Medium.” [Online]. Available:
2017. https://medium.com/iocscan/reflected-cross-site-
[5] “Positive Technologies helps Oracle to fix a scripting-r-xss-b06c3e8d638a? [Accessed: 04-May-
vulnerability in WebLogic Server.” [Online]. 2022].
Available: https://www.ptsecurity.com/ww- [12] Q. Wang et al., “Black-box adversarial attacks on
en/about/news/positive-technologies-helps-oracle- XSS attack detection model,” Comput. Secur., vol.
to-fix-a-vulnerability-in-weblogic-server/. 113, p. 102554, Feb. 2022.
[Accessed: 22-Mar-2022]. [13] G. E. Rodríguez, J. G. Torres, P. Flores, and D. E.
[6] “Cross Site Scripting (XSS) Software Attack | Benavides, “Cross-site scripting (XSS) attacks and
OWASP Foundation.” [Online]. Available: mitigation: A survey,” Comput. Networks, vol. 166,
https://owasp.org/www-community/attacks/xss/#. p. 106960, Jan. 2020.
[Accessed: 07-Mar-2022]. [14] B. K. Ayeni, J. B. Sahalu, and K. R. Adeyanju,
[7] M. Antonakakis et al., “Understanding the Mirai “Detecting Cross-Site Scripting in Web
Botnet,” Proc. 26th USENIX Secur. Symp., pp. Applications Using Fuzzy Inference System,” J.
1093–1110, 2017. Comput. Networks Commun., vol. 2018, 2018.
[8] S. Fogie, J. Grossman, R. Hansen, and A. Rager, [15] I. Tariq, M. A. Sindhu, R. A. Abbasi, A. S. Khattak,
“XSS Attacks,” XSS Attacks, 2007. O. Maqbool, and G. F. Siddiqui, “Resolving cross-
[9] V. Nithya, S. Lakshmana Pandian, and C. site scripting attacks through genetic algorithm and
Malarvizhi, “A survey on detection and prevention reinforcement learning,” Expert Syst. Appl., vol.
of cross-site scripting attack,” Int. J. Secur. its Appl., 168, p. 114386, Apr. 2021.
vol. 9, no. 3, pp. 139–152, 2015.

Authorized licensed use limited to: KLE Technological University. Downloaded on March 30,2023 at 09:19:27 UTC from IEEE Xplore. Restrictions apply.