Cross-site scripting, also called XSS, is a type of attack where a hacker executes malicious JavaScript within a user’s browser. The code runs within the victim’s browser, and the attacker initially does not have full control of the site. Instead, the bad actor injects the malicious code on top of a legitimate website. When the site is loaded, the malware is executed, deceiving the browser.
JavaScript in XSS
JavaScript is a client-side programming language that adds interactivity and functionality to web pages. It is commonly used on major applications and CMS platforms. Unlike server-side languages such as PHP, JavaScript code running inside a user’s browser will not impact other website visitors. As JavaScript is a client-side language, it cannot run on the server, but it can interact with the server through background requests. Malicious actors may use these background requests to add harmful content to a webpage without requiring a page refresh. These requests may also be used to gather analytics about the client’s browser or perform actions asynchronously.
Working of Cross-site scripting
An attacker can inject their code into a victim’s web page only after exploiting a vulnerability in the website’s software. Once the vulnerability is successfully exploited, the attacker can insert their script, which will run on the victim’s browser.
Once the JavaScript code is executed in the victim’s browser, the attacker can gain access to sensitive information about the user’s session. This information can be used to target the site administrator and potentially lead to a complete compromise of the website.
Cross-site scripting attacks can prove highly effective when a large number of publicly available pages on a website contain vulnerabilities. In such instances, attackers can inject malicious code by adding their own content, phishing prompts, or ads on the website, with the aim of targeting the site’s visitors.
Types of Cross-site scripting attacks
The goals of a cross-site scripting attack determine the different ways it can be utilized. The most frequently used types of cross-site scripting attacks are as follows:
Self Cross-site scripting attack
A self-cross-site scripting attack occurs when the attacker exploits a vulnerability that requires manual changes and extremely specific context. This includes setting our information to payload or cookie values, among other things.
Blind Cross-site scripting attack
Blind cross-site scripting occurs when an attacker cannot see the result of their attack. This type of attack targets a vulnerability that can only be accessed by authorized users. As a result, it requires more preparation from the attacker to successfully launch the attack. In case the payload fails, no notification will be received by the attacker. Additionally, hackers can use polyglots to increase the success rate of these attacks, which can work in different scenarios such as script tags, plain text, and attributes.
Stored Cross-site scripting attack
A stored cross-site scripting attack occurs when the attacker stores a payload on the compromised server, which is then delivered by the website to other visitors. This attack requires only initial action by the attacker, and as a result, many visitors can be compromised. It is considered the most dangerous type of cross-site scripting. An example of this attack includes the fields of a user’s profile such as email address and username, which are stored by the server and displayed on their account page.
Reflected Cross-site scripting attack
Reflected cross-site scripting occurs when the payload is sent from the browser to the server and then reflected back in the server’s response to the user. An example of this attack is a search box or a contact form where the user inputs data containing a malicious script that gets reflected back in the response from the server. Another type of reflected cross-site attack is a search form where the search query is sent to the server, and the result is visible only to the user. Attackers can send custom links to victims that direct them towards the vulnerable page.
DOM-Based Cross-site scripting attack
If the JavaScript code embedded in a webpage is susceptible to cross-site scripting (XSS), the attack that occurs is known as DOM-based cross-site scripting. JavaScript has the ability to enhance the interactivity of a webpage and modify the page’s content by appending arguments in the URL. However, if user input values are not sanitized, malicious code can be added to the page by modifying the Document Object Model (DOM). An instance of DOM-based cross-site scripting can be observed when the website switches to alternative languages specified in the URL, rather than using the default language.
Prevention of Cross-site scripting attacks
Sanitize value
To prevent the generation of HTML content when utilizing user-generated content on a page, it is essential to use entities in place of unsafe characters. Although regular characters and entities may appear identical in appearance, the utilization of entities ensures that HTML cannot be generated.
Whitelist Values
To ensure the security of user input, it is recommended to implement a whitelist that restricts the input to only acceptable values. This approach guarantees that only safe and familiar data is transmitted to the server. Moreover, if we have prior knowledge of the receiving data, such as the options within a drop-down menu, utilizing a restricted user input will prove to be an effective security measure.
Restrict HTML in Inputs
Access to HTML should be restricted to trusted users only. In cases where it is necessary to allow for input formatting and styling, the use of Markdown is a viable alternative to HTML content generation. However, if HTML must be utilized, it is imperative to sanitize it using a dependable sanitizer such as DOMPurify, which effectively removes all unsafe code.
Use HTTPOnly Flags on Cookies
Session cookies are commonly employed to enable websites to identify a user across multiple requests. Unfortunately, attackers often target these cookies and can easily exfiltrate a user’s credentials, allowing them to steal an admin session without proper authorization. However, by implementing HttpOnly cookies, JavaScript is prevented from accessing the cookie’s contents, increasing the difficulty of an attacker’s attempt to hijack the session. While this measure is effective in safeguarding cookies from theft, an attacker can still pose as an admin user and execute requests using an active browser session. Therefore, when cookies are the primary form of identification, this method remains the most practical means of defense.
Use WAF
Using a firewall, it is possible to virtually patch attacks targeting our website. This proactive approach involves intercepting requests, such as SQLi, RCE, and XSS, before they reach our website and become malicious. In addition, firewalls can also offer protection against large-scale attacks like DDOS, further safeguarding the website’s security.
Thank you for choosing this page to learn about Cross-site Scripting. Stay up-to-date on the latest in Ethical Hacking by following us every day @ tutorials.freshersnow.com.