Testing Cross-Site Scripting (XSS) Vulnerabilities in an Online Payment Web Application

Artem S. Merkulov, Olga R. Laponina


The object of the study is a web-based online payment company Payture, which cooperates with large companies and banks. Payture acts as a payment gateway between merchants, banks and payment systems, offering a flexible integration API. This paper analyzes how to test the Payture online payment web application for the presence of known cross-site scripting attack vectors. A recommended list of protection measures is determined for this application as well as for similar applications. The types of XSS attacks are considered, which allows you to design an attack and analyze the elements of a web application that can contain XSS vulnerabilities. Free and commercial software products are described that allow for a comprehensive or partial analysis of web applications for XSS vulnerabilities. The main features of the API company “Payture” are considered, the sequence of actions for finding XSS vulnerabilities is determined. Suggestions have been made for sharing several tools for analyzing XSS vulnerabilities in web applications.

Full Text:

PDF (Russian)


Cross-site Scripting (XSS). OWASP™ Foundation. The free and open software security community. URL: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

OWASP Top 10 -2017. The Ten Most Critical Web Application Security Risks. OWASP™ Foundation. The free and open software security community. URL: https://www.owasp.org/index.php/Top_10-2017_Top_10

Seth Fogie, Robert Hansen, Jeremiah Grossman, Petko Petkov, Anton Rager, «XSS Attacks: Cross Site Scripting Exploits and Defense», Elsevier, Inc., 482р., USA, 2007.

Statistics of attacks on web applications. URL: https://www.ptsecurity.com/ru-ru/research/analytics/web-application-attacks-2018/

Payture [Software]. Commercial product test environment and API documentation. URL: https://payture.com/api

The web-application vulnerability scanner Wapiti3 [Software]. URL: http://wapiti.sourceforge.net/

Web Applicaytion Security Solution NetSparker [Software]. URL: https://www.netsparker.com/

OWASP Xenotix XSS Exploit Framework [Software]. URL: https://xenotix.in/

CSP Evaluator [Software]. URL: https://csp-evaluator.withgoogle.com/

OWASP AntiSamy Project [Software]. OWASP™ Foundation. The free and open software security community. URL: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

Prototype implemented tool AntiFraudXSS [Resource]: https://drive.google.com/file/d/14kjesiN_m7glXTZlGhi16jyNoqPO06UX/view?usp=sharing_eil&invite=CKSE58QJ&ts=5cfbc4c9


  • There are currently no refbacks.

Abava  Absolutech Fruct 2020

ISSN: 2307-8162