What’s XSS? How Can You Stop it?

Posted on | by Tyler Pearson

Introduction

What’s XSS? How can you stop it? As the complexity and usage of web applications increase, so do web application vulnerabilities. Cross-Site Scripting (XSS) vulnerabilities are among the most prevalent forms of online application vulnerabilities. XSS vulnerabilities exploit a flaw in user input sanitization to “write” JavaScript code to the page and execute it on the client side, thereby enabling a variety of attacks.

 

If a web application accepts unfiltered user input, it is susceptible to XSS. In Javascript, VBScript, Flash, and CSS, XSS is possible.

 

This vulnerability’s severity is determined by the type of XSS, which is often divided into two categories: persistent/stored and reflected. Depending on the situation, the following attacks may be implemented:

 

  • Cookie Stealing – The act of stealing a user’s cookie from an authenticated session, allowing an attacker to log in as the user without providing authentication.

 

  • Keylogging – An attacker can register a keyboard event listener and send all of your keystrokes to their own server.

 

  • Webcam snapshot – It is possible to capture images from a compromised computer’s webcam using HTML5 capabilities.

 

  • Phishing – An attacker could either insert fake login forms into the page or redirect you to a clone of a legitimate website in an attempt to obtain your personal information.

 

  • Port Scanning – You read that correctly. You can use stored XSS to search an internal network and identify other hosts.

 

  • Other browser-based exploits – XSS offers an infinite number of options.

 

Who knew that all of this was possible by simply visiting a website? Your browser and anti-virus software have safeguards in place to prevent this from occurring.

 

Stored cross-site scripting

 

Stored cross-site scripting is the most dangerous type of XSS. This is when a malicious string originates in the database of a website. This often happens when a website allows user input that is not sanitized (remove the “bad parts” of a user’s input) when inserted into the database.

 

An attacker creates a payload in a field while registering for a website, which is then saved in the website’s database. If the website does not correctly sanitize that field, when that field is displayed on the page, the payload will be executed for each visitor.

 

The payload could be as simple as <script>alert(1)</script>

 

However, this payload won’t just execute in your browser but in any other browsers that display the malicious data inserted into the database.

 

Reflected Cross-site Scripting

 

The malicious payload in a reflected cross-site scripting attack is included in the victim’s request to the website. This payload is included in the website’s response to the user. In summary, an attacker must convince a victim to click a URL in order for their malicious payload to be executed.

 

This may appear safe because it requires the victim to send a request with an attacker’s payload, and a user would not be able to attack themselves. With social engineering, however, an attacker may convince a user to click on a malicious link embedded in an email.

 

Reflected XSS is the most common XSS attack type.

 

The attacker sends the victim a URL containing a malicious payload. The attacker tries to trick the victim into clicking the URL. The request could be

 

http://im4rent.com/search?keyword=<script>…</script>

 

The website sends the user the response with this malicious payload from the request. In response, the victim’s browser will execute the payload. The collected information is then delivered back to the attacker (it might not necessarily be sent from the victim, but to another website where the attacker then gathers this data; this protects the attacker from directly receiving the victim’s data).

 

What is the DOM

 

The Document Object Model (DOM) is an interface for programming HTML and XML documents. It represents the page so that programs can modify the structure, style, and content of the document. A web page is a document that can be shown either in the browser window or as the HTML source.

 

 

With the object mode, Javascript receives all the abilities necessary to generate dynamic HTML.

 

A malicious payload is not actually parsed by the victim’s browser during a DOM-based XSS attack until the website’s legitimate JavaScript is run. Then, what does this imply?

 

With reflective XSS, an attacker’s payload is injected directly into a website, regardless of whether or not another Javascript on the site is loaded.

 

Phishing

 

Phishing attacks are an extremely popular form of XSS attack. Typically, phishing attacks use information that appears legitimate to deceive victims into revealing sensitive information. Common XSS phishing attempts involve injecting bogus login forms that send the login details to the attacker’s server, which can then be exploited to get access to the victim’s account and sensitive information.

 

Session Hijacking

 

Cookies are used by modern online apps to maintain a user’s session across many browsing sessions. This allows the user to log in only once and maintain their session even if they revisit the same page at a later time. If a malicious person acquires the cookie data from the victim’s browser, they may be able to log in as the victim’s user without their credentials.

 

With the ability to execute JavaScript code on the victim’s browser, we may be able to steal their cookies and transfer them to our server in order to hijack their logged-in session using a Session Hijacking (also known as Cookie Stealing) attack.

 

Protection Methods

 

Here are three methods for preventing cross-site scripting from occurring in your application.

 

  1. Escaping: Escape all user input. This means that all data received by your application is secured before being displayed to end users. By escaping user input, the dangerous interpretation of certain characters in the data received by the web page would be prevented. For example, you could disallow the < and > characters from being rendered.
  2. Validating Input: This is the process of verifying that your application displays the proper data and prevents fraudulent data from harming your website, database, and users. Input validation prohibits the submission of specific characters in the first place.
  3. Sanitizing: Finally, sanitizing data is a powerful defense, but it should not be used alone to combat XSS attacks. On websites that permit HTML markup, sanitizing user input is especially beneficial, as it converts invalid user input into an acceptable format. For example, you could sanitize the < character into the HTML entity &#60;

 

Source and More info @

https://en.wikipedia.org/wiki/Cross-site_scripting

https://portswigger.net/web-security/cross-site-scripting

 

Click here to return to the blog

Click here to return to the main page