Document Type : Research Article


1 Department of Information Technology, College of Computer, Qassim University, Buraydah, Saudi Arabia.

2 Computers and Control Engineering Department, Faculty of Engineering, Tanta University, Tanta, Egypt.


At the present period of time, web applications are growing constantly in the whole society with the development of communication technology. Since the utilization of WWW (World Wide Web) expanded and increased since it provides many services, such as sharing data, stay connected and other services. As a consequence, these numerous numbers of web application users susceptible to cybersecurity breaches in order to steal sensitive information or crashing the users’ systems, etc. Particularly, the most common vulnerability todays in web applications are the Cross-Site Scripting (XSS) attack.
Furthermore, online cyber attacks utilizing cross-site scripting were responsible for 40% of the attack instances that struck enterprises in North America and Europe in the 2019. Therefore, cross-site scripting is a form of an injection that targets both vulnerable and non-vulnerable websites, for the injection of malicious scripts. Cross-site scripting XSS operates by directing users to a vulnerable website that contains malicious JavaScript. Then, when malicious code runs in a victim’s browser, the attacker has complete control over how they interact with the application. In order to protect website or prevent the XSS, must know the application complexity and the way it handles data must be known so it could be controlled by the user. However, Detecting XSS effectively is still a work in progress and XSS is considered a gateway for various attacks. However in this paper, we will introduce the XSS attack and the forms of XSS as review paper. In addition, the methods and techniques that help to detect cross site scripting (XSS) attacks.


[1] Germ´an E Rodr´ıguez, Jenny G Torres, Pamela Flores, and Diego E Benavides. Cross-site scripting (xss) attacks and mitigation: A survey. Computer Networks, 166:106960, 2020.
[2] Ibrahim Nadir and Taimur Bakhshi. Contemporary cybercrime: A taxonomy of ransomware threats & mitigation techniques. In 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), pages
1–7. IEEE, 2018.
[3] Nadya ElBachir El Moussaid and Ahmed Toumanari. Web application attacks detection: A survey and classification. International Journal of Computer Applications, 103(12), 2014.
[4] Miao Liu, Boyu Zhang, Wenbin Chen, and Xunlai Zhang. A survey of exploitation and detection methods of xss vulnerabilities. IEEE access, 7:182004–182016, 2019.
[5] Isatou Hydara, Abu Bakar Md Sultan, Hazura Zulzalil, and Novia Admodisastro. Current state of research on cross-site scripting (xss)–a systematic literature review. Information and Software Technology, 58:170–186, 2015.
[6] Iram Tariq, Muddassar Azam Sindhu, Rabeeh Ayaz Abbasi, Akmal Saeed Khattak, Onaiza Maqbool, and Ghazanfar Farooq Siddiqui. Resolving cross-site scripting attacks through genetic algorithm and reinforcement learning. Expert Systems with Applications, 168:114386, 2021.
[7] Upasana Sarmah, DK Bhattacharyya, and Jugal K Kalita. A survey of detection methods for xss attacks. Journal of Network and Computer Applications, 118:113–143, 2018.
[8] Mukesh Kumar Gupta, MC Govil, and Girdhari Singh. Static analysis approaches to detect sql injection and cross site scripting vulnerabilities in web applications: A survey. In International Conference on Recent Advances and Innovations
in Engineering (ICRAIE-2014), pages 1–5. IEEE, 2014.
[9] Rahul Johari and Pankaj Sharma. A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. In 2012 international conference on communication systems and network technologies, pages 453–458. IEEE, 2012.
[10] Abdalla Wasef Marashdih, Zarul Fitri Zaaba, Khaled Suwais, and Nur Azimah Mohd. Web application security: An investigation on static analysis with other algorithms to detect cross site scripting. Procedia Computer Science, 161:1173–
1181, 2019.
[11] Kunal Gupta, Rajni Ranjan Singh, and Manish Dixit. Cross site scripting (xss) attack detection using intrustion detection system. In 2017 International Conference on Intelligent Computing and Control Systems (ICICCS), pages 199–203. IEEE, 2017.
[12] Li Lei, Ming Chen, Chengwan He, and Duojiao Li. Xss detection technology based on lstmattention. In 2020 5th International Conference on Control, Robotics and Cybernetics (CRC), pages 175–180. IEEE, 2020.
[13] Twana Assad Taha and Murat Karabatak. A proposed approach for preventing cross-site scripting. In 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pages 1–4. IEEE, 2018.
[14] Ran Wang, Guangquan Xu, Xianjiao Zeng, Xiaohong Li, and Zhiyong Feng. Tt-xss: A novel taint tracking based dynamic detection framework for dom cross-site scripting. Journal of Parallel and Distributed Computing, 118:100–106, 2018.
[15] Vikas K Malviya, Sawan Rai, and Atul Gupta. Development of web browser prototype with embedded classification capability for mitigating cross-site scripting attacks. Applied Soft Computing, 102:106873, 2021.
[16] Mehul Singh, Prabhishek Singh, and Pramod Kumar. An analytical study on cross-site scripting. In 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA), pages 1–6. IEEE, 2020.
[17] Shaimaa Khalifa Mahmoud, Marco Alfonse, Mohamed Ismail Roushdy, and Abdel-Badeeh M Salem. A comparative analysis of cross site scripting (xss) detecting and defensive techniques. In 2017 Eighth International Conference on Intelligent Computing and Information Systems (ICICIS), pages 36–42. IEEE, 2017.
[18] Jinkun Pan and Xiaoguang Mao. Detecting dom-sourced cross-site scripting in browser extensions. In 2017 IEEE International Conference on Software Maintenance and Evolution(ICSME), pages 24–34. IEEE, 2017.
[19] Sebastian Lekies, Ben Stock, and Martin Johns. 25 million flows later: large-scale detection of dom-based xss. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1193–1204, 2013.
[20] Imran Yusof and Al-Sakib Khan Pathan. Preventing persistent cross-site scripting (xss) attack by applying pattern filtering approach. In The 5th International Conference on Information and Communication Technology for The Muslim
World (ICT4M), pages 1–6. IEEE, 2014.
[21] Ankit Shrivastava, Santosh Choudhary, and Ashish Kumar. Xss vulnerability assessment and prevention in web application. In 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), pages 850–853.
IEEE, 2016.
[22] David Scott and Richard Sharp. Abstracting application-level web security. In Proceedings of the 11th international conference on World Wide Web, pages 396–407, 2002.
[23] Yasuhiko Minamide. Static approximation of dynamically generated web pages. In Proceedings of the 14th international conference on World Wide Web, pages 432–441, 2005.
[24] Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, and Christopher Kruegel. Swap: Mitigating xss attacks using a reverse proxy. In 2009 ICSE Workshop on Software Engineering for Secure Systems, pages 33–39. IEEE, 2009.
[25] Dimitris Mitropoulos, Konstantinos Stroggylos, Diomidis Spinellis, and Angelos D Keromytis. How to train your browser: Preventing xss attacks using contextual script fingerprints. ACM Transactions on Privacy and Security (TOPS), 19(1):1–31,2016.
[26] Hossain Shahriar and Mohammad Zulkernine. S2xs2: a server side approach to automatically detect xss attacks. In 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pages 7–14. IEEE, 2011.
[27] Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, volume 2007, page 12, 2007.
[28] Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Zozzle: Fast and precise in-browser javascript malware detection. In 20th USENIX Security Symposium (USENIX Security 11), 2011.
[29] Wafa Ben Jaballah and Nizar Kheir. A grey-box approach for detecting malicious user interactions in web applications. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, pages 1–12, 2016.
[30] Yingbo Song, Angelos D Keromytis, and Salvatore Stolfo. Spectrogram: A mixture-of-markovchains model for anomaly detection in web traffic. 2009.