Republic of the Philippines
National Police Commission
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.


Reference Number ACG-CSB 071821213

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.


         Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.


         Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

         You can confirm most kinds of XSS vulnerability by injecting a payload that causes your own browser to execute some arbitrary JavaScript. It's long been common practice to use the alert() function for this purpose because it's short, harmless, and pretty hard to miss when it's successfully called. In fact, you solve the majority of our XSS labs by invoking alert() in a simulated victim's browser.

        Unfortunately, there's a slight hitch if you use Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert(). As these are used to construct some of the more advanced XSS attacks, you'll sometimes need to use an alternative PoC payload. In this scenario, we recommend the print() function. If you're interested in learning more about this change and why we like print(), check out our blog post on the subject.

As the simulated victim in our labs uses Chrome, we've amended the affected labs so that they can also be solved using print(). We've indicated this in the instructions wherever relevant.



            All PNP personnel as well as the public are advised to follow the tips to avoid the CROSS-SITE SCRPTING (XSS):


  • Keep software updated - Cybercriminals and developers are in a constant arms race, with the former hunting tirelessly for vulnerabilities and the latter working to patch them. If you aren’t judicious about updating software or applications, you give cybercriminals the chance to take advantage of any known vulnerabilities.
  • Sanitize Input Fields - Making financial transactions on an unsecured public Wi-Fi networkis an easy way to give your personal information to prospective hackers. Because public Wi-Fi is open to anyone, they will often insert themselves in between you and the internet in order to capture the sensitive data you're sending. Always make sure you use cash apps on a secure, password-protected network.
  • Use Client- and server-side form validation - Validating all form submissions allows you to check the data on a form before it’s accepted by the server. Typically, client-side form validation is done by utilizing JavaScript to confirm that only data deemed “acceptable” is being used before submitting it to the web server. As an additional safeguard, server-side validation should always be used in tandem with client-side validation. Server-side validation means the server also sanitizes the data before evaluating and accepting it.
  • Use a web application firewall- As cyberattacks become more advanced and prevalent, a good best practice is to use a WAF that can filter bad bots and other malicious threats away from your website. Think of a WAF as the gatekeeper to your website, preventing cross-site scripting attacks before they’re executed. When shopping for a WAF, look for a provider that protects against the latest andthe most common types of attacks.


        For additional information, please refer to the following websites:





            Please contact PMAJ ROVELITA ROBIÑOS AGLIPAY Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723 0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.