Cross-site Scripting (XSS) Attack: All You Need to Know

Updated: March 29th, 2020
4 mins read
Cross Site Scripting XSS - Astra Security

Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications. From targeting applications built on archaic web technologies to newer ones using rich, client-side UIs, XSS has plagued them all. However, it is imperative to realize that vulnerabilities posing as a potential cause for a XSS attack can be easily detected and fixed timely.

How does a Cross-site scripting attack occur?

A cross site scripting (XSS) attack occurs when

  1. A web application requests for input data through an unreliable source
  2. The dynamic content inputted via the web request is used without being corroborated for lack of malicious content.
XSS Vulnerability Whys & How's

A simple example of such input data is when we submit our name, e-mail ID, username-password or any input in a form. Each of the above entered inputs can be manipulated if the underlying code doesn’t properly validate the inputs. An attacker makes use of this inability to inject malicious content, usually in the form of a Javascript code, HTML or any form of code executable by the browser. The end user has no way of suspecting the unreliable script and will end up executing it. Once injected, the script gains access to any cookies, session tokens or sensitive info used by this site.

An XSS attack is of 3 types:

  1. DOM Based Attack: Caused by malicious injection of code from client side. The injected code can be Javascript, Flash, Visual Basic etc.
  2. Persistent XSS Attack: Caused when payload is stored on server side and gets retrieved when there is a user request to a page
  3. Non-Persistent XSS Attack: Caused when payload is reflected back to the user by opening a link to a vulnerable website with a crafted input.
XSS Causes and How to Prevent

Anatomy of a Cross-site scripting (XSS) attack

How Attackers Exploit XSS?

Generally, an attacker uses a XSS vulnerability to extract session cookies of the end user which finally enables the attacker to access the account of the user. An example of the above scenario is:
  •  The website you access possesses a comment field.
  • The attacker posts the following payload in the comment section.
 
  • As soon as any legitimate users opens the comment box to see the following comment, HTML parses this script.
  • When HTML parsing is done by the browser, user’s cookie is sent to attacker on his server.
 This simple vulnerability, if existing in your web application, can have very serious implications. Another common XSS exploitation is when attackers use your application for drive-by downloads, where-in the attacker causes an end user to download malware without their knowledge, by clicking on legitimate looking links.

Notorious Cases of Cross-Site Scripting Attacks

XSS attacks mostly occur for financial gains, a notable one is the past attack against e-commerce giant eBay. The hackers injected a malicious Javascript code into several listings for cheap iphones, which in turn redirected users to a fake login page created to compromise user credentials.

Apart from e-commerce sites, several social media sites have been subject to such infamous attacks. Twitter was targeted with one such XSS worm that led to malicious links getting lodged on a website named StalkDaily. Another well- known XSS attack was the MySpace attack by the Samy worm – a benign virus which altered the profile page of MySpace users and sent random friend requests.

Precautions to Mitigate XSS Attacks

Preventing a XSS attack doesn’t imply disabling users to input their payloads, rather take measures to stop it from being parsed as HTML in the browser. That being said, here are few methodologies which are used to prevent a XSS attack. 
  1. Input Validation

    To prevent XSS, white-list most input to alphanumeric or in some cases, special characters. This will reduce surface attack and minimize the potential for bugs.

  2. Use of secure DOM elements

    Often, unsafe handling of DOM elements (document object model) lead to XSS attacks in even rich client UIs. For example, using the innerHTML attribute renders the user input as XSS with Javascript events. In this case, the safe alternative would be to use contentText or innerText.

  3. JavaScript Escaping

    Escaping single quotes can prevent injection within Javascript. HTML encoding that uses single quotes with ‘ should be used to prevent the injection issue

  4. Output Encoding

    Output encoding works wonders when it comes to neutralizing maximum XSS payloads. This method works to mitigate server side injection attacks. While HTML encoding is a rather common method, URL encoding can help obliterate any injections of markup in links and redirects.