DeepAI AI Chat
Log In Sign Up

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

by   Abdelhakim Hannousse, et al.
Université Larbi Tébessi

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.


page 10

page 11

page 15

page 17

page 19


Fighting Against XSS Attacks: A Usability Evaluation of OWASP ESAPI Output Encoding

Cross Site Scripting (XSS) is one of the most critical vulnerabilities e...

Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

In a Cross-Origin State Inference (COSI) attack, an attacker convinces a...

Encoding a Taxonomy of Web Attacks with Different-Length Vectors

Web attacks, i.e. attacks exclusively using the HTTP protocol, are rapid...

Automated Detecting and Repair of Cross-Site Scripting Vulnerabilities

The best practice to prevent Cross Site Scripting (XSS) attacks is to ap...

A Systematic Survey of Attack Detection and Prevention in Connected and Autonomous Vehicles

The number of Connected and Autonomous Vehicles (CAVs) is increasing rap...

Securing Microservices and Microservice Architectures: A Systematic Mapping Study

Microservice architectures are becoming trending alternatives to existin...