Cross-Site Scripting (XSS) attack is vulnerability typical of web applications, where malicious scripts are injected into trusted websites. These malicious scripts can be hosted on the same web server, or can be inserted through complementary attacks, which means that users can inadvertently navigate through a compromised website. The main security issues that result from an XSS attack are the hijack of user sessions, deface websites, redirect the user to malicious sites, capture of keystrokes, denial of service attacks, scans of corporate networks, phishing attacks, or the geolocation of a user. However, the objective of this attack is the theft of cookies stored on the victim computer, since this information can let the attacker to extract confidential data from the user. Our research work presents Cookie Scout, an analytical model for preventing XSS attacks, which main goal is to classify cookies according to their parameters. For this purpose we collect, analyse and classify the type of traffic in a botnet using the Browser Exploitation Framework (Beef) tool for execute attacks and malicious code remotely in a controlled testing environment. In this test lab we connect desktop computers, laptops and mobile devices to configure a network of zombie equipment.

With the parameters obtained from this traffic analysis, an algorithm was designed to detect suspicious websites based on the reputation of their cookies. We were able to find that some parameters of the cookies as their expiration date varied from 2 to 30 or 200 years. The main contribution of this research is to analyse the behaviour of cookies, through their parameters, and how they could be blocked by an algorithm that could be developed in any programming language. The results obtained showed that the parameters of the cookies were a good reference to determine web pages vulnerable to XSS attacks.