• 1 Department of Informatics University of Chemical Technology and Metallurgy – Sofia, Bulgaria


This report focuses on vulnerabilities on web-applications and web-sites from Cross-Site Scripting attacks (XSS). The different types of XSS attacks are examined: DOM-based, active and passive attacks. The spread of XSS attacks across platforms – government and financial institutions, transportation companies, hospitality and entertainment has been analyzed. Research and analysis of the security of corporate websites and their resistance to XSS attacks have been carried out. The basic guidelines for preventing valuable data theft and unauthorized access to websites and applications from XSS attacks are reviewed and systematized.



  1. Lekies S; Kotowicz, Krzysztof; Groß, Samuel; Nava, Eduardo Vela; Johns, Martin (2017). "Code-reuse attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets", CCS 17, October 30 - November 3, 2017, Dallas, TX, USA, pp. 1709- 1723
  2. Heiderich M., Schwenk J., Frosch T., Magazinius J., Jang E. Z. mXSS attacks: tacking well-secured web-applications by using innerHTML mutations. In Proceeding of the 2013 ACM SIGSAC conference on Computer and communications security (2013) ACM, pp. 777-788
  3. Heiderich M., Mustache security wiki (online) https&//
  5. Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, Christopher Kruegelk, SWAP: Mitigating XSS attacks using a reverse proxy, Secure Systems Lab - Technical University Vienna, Institute Eurecom France, University of California, Santa Barbara, IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
  7. M. K Gupta, M. C. Govil, and G. Singh, “Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: a survey,” in Proceedings of the Recent Advances and Innovations in Engineering (ICRAIE), 2014, pp. 1-5
  8. Vernotte A., Dadeau F., Lebeau F., Legeard B., Peureux F., Piat F. (2014) Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities. In: Prakash A., Shyamasundar R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol. 8880. Springer, Cham DOI
  9. Qianjie Zhang, Hao Chen, Jianhua Sun, The 2nd International Conference on Software Engineering and Data Mining, 2010
  10. Vikas K. Malviya, Saket Saurav, Atul Gupta, 2013 20th Asia- Pacific Software Engineering Conference (APSEC)
  11. Cross-site scripting, Wikipedia,
  12. Johannes Dahse, Thorsten Holz, Static Detection of Second- Order Vulnerabilities in Web Applications, USENIX Security Symposium, 2014
  13. Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang, mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations, 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013
  14. Wang, Yi-Hsun, Ching-Hao Mao, Hahn-Ming Lee, Structural Learning of attack vectors for generating mutated XSS attacks, arxiv preprint arxiv: 1009.3711 (2010)
  15. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: Proc. of the 31st Int. Symp. on Security and Privacy (SP 2010), pp. 332–345. IEEE CS, Oakland (2010)
  16. Doupé, A., Cova, M., Vigna, G.: Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
  17. Vernotte A., Dadeau F., Lebeau F., Legeard B., Peureux F., Piat F. (2014) Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities. In: Prakash A., Shyamasundar R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham DOI 13841-1_20, pp. 359
  19. Smith M. A., Web application Security: XSS Attacks, Kansas State University, CIS 726, pp. 1-2,
  20. Shailendra Rathore, Pradip Kumar Sharma, Jong Hyuk Park, XSSClassifier: An Efficient XSS Attack Detection Approach Based on Machine Learning Classifier on SNSs, Journal of Information Processing Systems, Vol.13, No.4, pp.1014-1028, August 2017,,3745/JIPS.03.0079
  21. IBM MSS, Cross-Site Scripting (XSS) Research and Intelligence report, Release data& December 15, 2014 by& Nikita Gupta, p.5
  22. Theodoor Scholte, William Robertson, Davide Balzarotti, Engin Kirda, SAC 2012 Proceedings of the 27th Annual ACM Symposium on Applied Computing, Pages 1419-1426
  23. Jyoti Snehi1, Dr. Renu Dhir, Jalandhar, India, International Journal of Computers & Technology Volume 4 No. 2, March-April, 2013, ISSN 2277-3061
  24. Amiangshu Bosu, Jeffrey C. Carver, Munawar Hafiz, Patrick Hilley, Derek Janni, Identifying the characteristics of vulnerable code changes: an empirical study, FSE 2014 Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering Pages 257-268
  25. Adriana Neagos, Simona Motogna, Security Analysis Regarding Cross-Site Scripting on Internet Explorer, BCI, 2012, Citeseer

Article full text

Download PDF