Cross-site Scripting (XSS) is a type attack that injects malicious code in web applications, ranked among the top vulnerabilities in OWASP Top 10 2017. For example, an attacker takes advantage of a given vulnerability on a website trusted by their visitors to install a script that will perform malicious actions such as copying cookies, tokens or stealing access data cached in the user’s web browser.
In general, the attack occurs due to failure to validate the user input data and the Web server response. Hardly a user will be able to identify the communication failure between the data entry in the browser and the response from the destination server.
Types of XSS
There are three types of script injection attacks:
- Persistent: The script injected by the attacker is permanently hosted on the destination server. The user can trigger the load by just browsing an infected website; therefore, any user can execute the malicious code without any specific action. This is a very dangerous type of attack, because the code can be hosted in several destinations, such as comment fields, database etc.
- Not Persistent/Reflected: In this case, the script will not be hosted on a destination server, so it will need to be delivered to each victim. This can happen through various forms of social engineering, for example an error message or a search result. A common method is a link delivered through phishing schemes. By triggering the server, through the link, the script will be reflected and executed in the browser. This is the most frequent technique.
- DOM-based: The third type of XSS attack exploits the Document Object Model (DOM), which is the interface that defines that HTML and XML are displayed in the browser. The script is able to change properties of the applications that execute these types of extensions directly in the browser, therefore without interaction with the server to perform the attack. In this case, the failure is in the validation of the HTML or XML code in the browser.
Cross-site request forgery (CSRF)
An attack method similar to XSS is CSRF. The core difference is that CSFR attacks require an authenticated session to perform their goal. So, the attacker only exploits sessions that the user is logged in to web services. Another important difference is the CSFR goal, which is often related to state-changing requests, since the attacker inherits the privileges of an authenticated session – for example, can be used to modify network firewall settings.
How to prevent XSS attacks
XSS attacks occur when:
- A web application allows data entry, but is not able to validate data effectively;
So, to consider data entry as unreliable is a ground rule to prevent this type of action. In case of data entry to HTML context, for example, active content should be avoided.
The active defense tools that follow these rules will be strong allies against XSS attacks. For example, intrusion prevention system (IPS) is crucial to classifying user input through web applications from whitelists. Entries that do not match the rules should be rejected. In other words, the golden rule for IPS is to deny all entries, then allow only as an exception.
Considering that XSS attacks take advantage of breaches in web applications, the adoption of a vulnerability management product to scan such applications may be relevant as it allows to obtain recurring information on the security status of the applications used by its users, either in an authenticated way or not authenticated.
Additional recommendations for preventing XSS attacks can be found in the OWASP Top Ten XSS Prevention Cheat Sheet.