Did you know, 39% of cyber incidents in 2019 involved cross-site scripting (XSS)? Making it the most widely-used attack method executed to breach companies — targeting nearly 75% of large businesses.
But, what exactly is cross-site scripting?
XSS can be broken down into three main types: Reflected, Stored, and DOM-based cross-site scripting. Essentially, XSS is a type of attack in which malicious scripts are embedded into web applications by attackers in order to compromise the interactions that users have on the website. These attacks are executed in the user’s web browser when they navigate through the infected website.
How Does Cross-site Scripting Work?
Due to the widespread use of JavaScript, we can think of websites as online applications that execute several functions. While JavaScript enables robust functionality, it also presents unique vulnerabilities, such as cross-site scripting.
XSS takes advantage of the fact that websites cant tell the difference between a valid markup and an attacker-controlled markup, and therefore, they simply execute whichever they receive.
Consequently, XSS works by locating vulnerabilities in a website and manipulating said vulnerabilities so that it returns malicious JavaScript to users. This, in turn, enables the attacker to fully compromise the victims’ interaction with the application.
Through the use of cross-site scripting attacks, perpetrators are able to perform many damaging attacks, such as steal session cookies, spread malware, deface websites, create havoc online, phish for credentials, and more.
Stored XSS Attacks
Stored XSS attacks are the most damaging type of XSS, as a stored attack only requires that the victim visit the compromised web page.
In a stored attack, malicious script is injected into the webpage by exploiting a vulnerability on the website’s software. This script is permanently stored on the target application and is presented as part of the webpage to the victim when they navigate through the site. Once the victim views the page, they will end up inadvertently executing the malicious script.
Since JavaScript runs on the victim’s browser page, this type of attack only requires an initial action from the attacker, endangers all visitors, and allows sensitive information about the user to be stolen from the session.
Examples of Stored XSS vulnerabilities:
One
A message board application permits users to submit messages, which are then displayed to other users:
<p>Hello, this is my message!</p>
The application doesn’t perform any other processing of the data, so an attacker can easily send a message that attacks other users:
<p><script>/* malicious script… */</script></p>
Two
A vulnerability in profile fields, for example, the username or email address, which are saved on the server. If not properly sanitized, an attacker can insert malicious code when registering as a new user on a forum. The script is triggered every time a user visits the forum section, thereby exposing user cookies and sensitive data.
Three
A vulnerability enables a malicious script to be embedded in a website’s comment section. The attacker comments:
Great price for a great item! Read my review here
< script src=”site example .com”> </script>.
From that point on, any user navigating the site is compromised.
How to Prevent XSS Attacks
Preventing cross-site scripting is not easy. Prevention techniques greatly depend on the subtype of XSS vulnerability, the complexity of the application, and the ways it handles user-controllable data.
However, generally speaking, measures to effectively prevent XSS attacks include:
- Distrust user input. Treat all user input as untrusted. All user inputs should be filtered as strictly as possible and precisely validated.
- Encode data on output. Encode the output to prevent it from being interpreted as active content. Use the appropriate encoding technique depending on where user input is to be used: HTML, URL, JavaScript, and CSS encoding.
- Use a web application firewall (WAF). To prevent an XSS attack, most WAFs rely on signature-based filtering to identify and block malicious requests.
- Content Security Policy. Use a Content Security Policy (CSP), to help you detect and mitigate attacks.
Further information on prevention techniques can be found in OWASP’s XSS Prevention Cheat Sheet.