EXSS: An Educational Emulator of Cross-Site Scripting Attacks

  • Bianca Domingos Guarizi CEFET/RJ
  • Isabela Maira Mendite Alves CEFET/RJ
  • Júlia Abbud Fernandez e Souza CEFET/RJ
  • Guilherme Oliveira Pimentel UFF
  • João André Campos Watanabe UFF
  • Dalbert Matos Mascarenhas CEFET/RJ
  • Ian Vilar Bastos UERJ
  • Marcelo Gonçalves Rubinstein UERJ
  • Igor Monteiro Moraes UFF
DOI: https://doi.org/10.5753/sbseg_estendido.2024.243354

Abstract


This paper proposes an emulator for Cross-Site Scripting (XSS) attacks for learning in cybersecurity. The emulator allows users to identify websites vulnerable to XSS attacks in a controlled environment. The identification of vulnerabilities is achieved through activities that consist of a theoretical introduction to the topic, followed by practical procedures for conducting XSS vulnerability tests on a web server running on a virtual machine. Activities are developed for different levels of knowledge. The particularity of the proposed emulator is its educational approach, and its goal is to raise awareness among undergraduate students and professionals to develop less vulnerable websites.

References

BBC (2018). British Airways faces record £183m fine for data breach. Disponível em [link] (18/04/2024).

CyCognito (2023). Web Apps are Leaving PII Exposed State of External Exposure Management Report. Relatório técnico.

Google (2024). XSS game. Disponível em [link] (02/07/2024).

Grossman, J. (2007). XSS attacks: Cross Site Scripting exploits and defense. Syngress.

Gupta, S. e Gupta, B. B. (2017). Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8:512–530.

Kaur, J., Garg, U. e Bathla, G. (2023). Detection of Cross-Site Scripting (XSS) attacks using machine learning techniques: a review. Artificial Intelligence Review, 56(11):12725–12769.

Liu, M., Zhang, B., Chen, W. e Zhang, X. (2019). A survey of exploitation and detection methods of XSS vulnerabilities. IEEE Access, 7:182004–182016.

OWASP (2021). OWASP Top 10. Disponível em [link] (18/04/2024).

OWASP (2023). OWASP webgoat | OWASP foundation. Disponível em [link] (02/07/2024).

OWASP (2024). OWASP juice shop | OWASP foundation. Disponível em [link] (02/07/2024).

PortSwigger (2024a). Burp suite - application security testing software - PortSwigger. Disponível em [link] (02/07/2024).

PortSwigger (2024b). Web security academy: Free online training from PortSwigger. Disponível em [link] (02/07/2024).

Reuters (2018). BA apologizes after 380,000 customers hit in cyber attack. Disponível em [link] (18/04/2024).

Rodríguez, G. E., Torres, J. G., Flores, P. e Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: a survey. Computer Networks, 166:106960.

TryHackMe (2024). TryHackMe | cybersecurity training. Disponível em [link] (02/07/2024).
Published
2024-09-16
How to Cite

Select a Format
GUARIZI, Bianca Domingos et al. EXSS: An Educational Emulator of Cross-Site Scripting Attacks. In: TOOLS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2024 . p. 89-96. DOI: https://doi.org/10.5753/sbseg_estendido.2024.243354.

Most read articles by the same author(s)