In current times, websites are getting more complex day by day. Websites use multiple web applications to enhance the user experience by adding more dynamic content. These dynamic websites are prone to cross-site scripting or XSS attacks. In this article, we will understand the aforementioned threat in detail.
What is Cross Site scripting (XSS)?
Cross-Site Scripting or XSS attacks are a type of code injection, where malicious scripts are executed by the attacker into other user’s trustworthy websites. Cross-Site Scripting or XSS attacks are a type of code injection, where attacker execute malicious scripts into other user’s trustworthy websites. XSS attacks use the vulnerabilities in the web browser of the users. Attackers use these flaws and send malicious code, mostly as a browser side script. These vulnerabilities are quite common and appear as an integral part of a website.
History of XSS:
Malicious codes including invalidated data trigger the XSS attack in the HTTP responses. Cross Site Scripting or XSS attacks were initially discovered in the applications which performed data processing at the server end, in which, input given by the user would consist a vector which would go first to the server and then to user’s web page. In 1999, a group of engineers from Microsoft noticed complains regarding the script & image tags getting wrongly attacked and injected to HTML pages. They started researching more about the vulnerabilities and published a report.
How does Cross-Site Scripting works?
The most common way for XSS to work is by injecting malicious JavaScript to an unsuspecting user’s browser. The browser does not suspect anything wrong with the script and executes it. These malicious scripts are now able to access any personal information like cookies, session tokens, browser history etc. These scripts can even make unknown changes to the HTML of any page.
When does XSS attacks occur?
Cross-Site Scripting (XSS) attacks commonly occur when:
- Any malicious code travel through a web server through an unreliable source, such as web requests
- Stored malicious information in active content. It goes to the user without checking for bad scripts.
Categories of XSS attacks:
XSS attacks are of three types based on the manner it executes malicious script in the user’s browser –
- Stored XSS Attacks
Stored attacks are those which execute malicious scripts stored in the website’s servers such as the database, comment or visitor logs, messages and so on. This type of attack is also known as “Persistent XSS” or “Type 1 XSS”.
- Reflected XSS Attacks
Reflected attacks are those where the malicious script initiates after the user’s request. For example, the injected code can enter from the server, a search result or any other inputs sent to the server as the user’s request. Reflected XSS attacks also target users via emails or unknown sites. Once a user clicks any suspicious link, the injected code will target the website vulnerabilities and execute the code assuming it is from a trustworthy server. “Reflected XSS” is also known as “Non-Persistent” or “Type 2 XSS”.
- DOM-based XSS
DOM-based XSS attacks a variation of both stored and reflected XSS. In a DOM-based XSS attack, the malicious string is not construed by the victim’s browser till the client-side JavaScript is executed.
Effects of XSS attacks:
All types of XSS attack end with similar outcomes, triggering multiple issues for the victim from causing a complete nuisance to hijacking the user’s account. Similarly, other outcomes of such attacks can result in stealing or leaking of user’s personal data, virus installations, navigating to different sites, changes in sensitive website content and so on.
Best practices to prevent XSS vulnerabilities:
XSS flaws are difficult to recognize and eliminate from a website or application. Most experts believe performing a regular security review of the code and looking for anomalies in the code. Therefore, this can be the best way to be sure if an input from a web request has travelled into the HTML output.
Secure input handling is a need to achieve efficient results because user input can also act as malicious code. For instance, following ways are common for secure input handling –
- Encoding (read user input as data and not as a script)
- Validation (Filter user input as trusted code)
- Sanitizing (Does not allow to read received data as an executable script and change objectionable user input to a suitable format.
As a user, the first thing to always keep in mind is to avoid clicking any unknown link and follow only trustworthy websites. Similarly, turn off Javascript in browser settings and turn security settings to high to avoid cookie theft.
Cross-site scripting is achieving a reputation among attackers and hence it is important to be aware of them.
Sonal Mishra is a management graduate from Pune. She comes from finance background and has found her true calling as a writer after gaining corporate experience for almost six years with companies like Capgemeni and HSBC. She has transformed her love for writing into a full time profession and currently works as a freelance content creator.
