Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications. From targeting applications built on archaic web technologies to newer ones using rich, client-side UIs, XSS has plagued them all. However, it is imperative to realize that vulnerabilities posing as a potential cause for a XSS attack can be easily detected and fixed timely.
How does a Cross-site scripting attack occur?
A cross site scripting (XSS) attack occurs when
- A web application requests for input data through an unreliable source
- The dynamic content inputted via the web request is used without being corroborated for lack of malicious content.
An XSS attack is of 3 types:
- Persistent XSS Attack: Caused when payload is stored on server side and gets retrieved when there is a user request to a page
- Non-Persistent XSS Attack: Caused when payload is reflected back to the user by opening a link to a vulnerable website with a crafted input.
Anatomy of a Cross-site scripting (XSS) attack
How Attackers Exploit XSS?
- The attacker posts the following payload in the comment section.
- As soon as any legitimate users opens the comment box to see the following comment, HTML parses this script.
Notorious Cases of Cross-Site Scripting Attacks
Apart from e-commerce sites, several social media sites have been subject to such infamous attacks. Twitter was targeted with one such XSS worm that led to malicious links getting lodged on a website named StalkDaily. Another well- known XSS attack was the MySpace attack by the Samy worm – a benign virus which altered the profile page of MySpace users and sent random friend requests.
Precautions to Mitigate XSS Attacks
To prevent XSS, white-list most input to alphanumeric or in some cases, special characters. This will reduce surface attack and minimize the potential for bugs.
Use of secure DOM elements
Output encoding works wonders when it comes to neutralizing maximum XSS payloads. This method works to mitigate server side injection attacks. While HTML encoding is a rather common method, URL encoding can help obliterate any injections of markup in links and redirects.