EXSS: an Educational Emulator for Cross-Site Scripting Attacks

Authors

DOI:

https://doi.org/10.5753/jbcs.2026.5521

Keywords:

Cybersecurity, XSS Attacks, Emulation, Education

Abstract

This article proposes a Cross-Site Scripting (XSS) attack emulator for learning in cybersecurity. The emulator allows users to identify a website vulnerable to XSS attacks in a controlled environment. The identification of vulnerabilities is achieved through activities that consist of a theoretical introduction to the topic, followed by practical procedures for conducting XSS vulnerability tests on a Web server running on a virtual machine. Activities are developed for different levels of knowledge. The particularity of the proposed emulator is its educational approach and its goal is to raise awareness among undergraduate students and professionals to develop less vulnerable websites.

Downloads

Download data is not yet available.

References

BBC (2018). British airways faces record £183m fine for data breach. Available at:[link] (01/17/2025).

CyCognito (2023). Web apps are leaving pii exposed state of external exposure management report. Technical report, CyCognito.

DOMPurify (2025). DOMPurify. Available at:[link] (05/14/2025).

Google (2024). Xss game. Available at:[link] (01/17/2025).

Grossman, J. (2007). XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress. Book.

Gupta, S. and Gupta, B. B. (2017). Cross-site scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8:512-530. DOI: 10.1007/s13198-015-0376-0.

Kaur, J., Garg, U., and Bathla, G. (2023). Detection of cross-site scripting (XSS) attacks using machine learning techniques: a review. Artificial Intelligence Review, 56(11):12725-12769. DOI: 10.1007/s10462-023-10433-3.

Latest Cyber Security News (2019). Fortnite hack could have compromised many gamers accounts. Available at:[link] (01/17/2025).

Latest Cyber Security News (2020). Vulnerabilities in event service meetup.com could allow group takeovers. Available at:[link] (01/17/2025).

Liu, M., Zhang, B., Chen, W., and Zhang, X. (2019). A survey of exploitation and detection methods of XSS vulnerabilities. IEEE Access, 7:182004-182016. DOI: 10.1109/ACCESS.2019.2960449.

OWASP (2021). Owasp top 10. Available at:[link] (01/17/2025).

OWASP (2023). OWASP webgoat | OWASP foundation. Available at:[link] (01/17/2025).

OWASP (2024). OWASP juice shop | OWASP foundation. Available at:[link] (01/17/2025).

PortSwigger (2024a). Burp suite - application security testing software - PortSwigger. Available at:[link] (01/17/2025).

PortSwigger (2024b). Web security academy: Free online training from PortSwigger. Available at:[link] (01/17/2025).

Reuters (2018). Ba apologizes after 380,000 customers hit in cyber attack. Available at:[link] (01/17/2025).

Rodríguez, G. E., Torres, J. G., Flores, P., and Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: a survey. Computer Networks, 166:106960. DOI: 10.1016/j.comnet.2019.106960.

TryHackMe (2024). TryHackMe | cybersecurity training. Available at:[link] (01/17/2025).

West, M. and Sartori, A. (2025). Content Security Policy level 3. Available at:[link] (05/14/2025).

Downloads

Published

2026-05-04

How to Cite

Guarizi, B., Alves, I., Fernandez e Souza, J., Pimentel, G., Watanabe, J. A., Mascarenhas, D., Bastos, I., Rubinstein, M., & Moraes, I. (2026). EXSS: an Educational Emulator for Cross-Site Scripting Attacks. Journal of the Brazilian Computer Society, 32(1), 1144–1154. https://doi.org/10.5753/jbcs.2026.5521

Issue

Vol. 32 No. 1 (2026)

Section

Regular Issue

License

Copyright (c) 2026 Bianca Guarizi, Isabela Alves, Júlia Fernandez e Souza, Guilherme Pimentel, João André Watanabe, Dalbert Mascarenhas, Ian Bastos, Marcelo Rubinstein, Igor Moraes

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Crossref
Scopus
Google Scholar
Europe PMC