Cross-site scripting (also known as XSS, abbreviated) fetched a lot of bounties to the bug hunters in cybersecurity due to a lack of secure development. If we talk about its difficulty level, it isn’t too hard to exploit and might also lead to revealing sensitive information about your website simply through a single script. So today, this article speaks about Cross-Site Scripting, their attacks and prevention tips.
Note that while there are a lot of websites that provide payloads to execute this attack, do not use it until the website has a bounty program through bug bounty platforms or responsible disclosure.
Cross-Site Scripting (XSS) Attacks and Prevention Tips
You can find various definitions of Cross-Site Scripting on the Internet, but we tried to put it in layman’s terms for you all.
When an attacker tries to inject a piece of code (or a code snippet with specific functionalities) intended to cause damage or harmful impacts to the website, it is called cross-site scripting. These code snippets are generally javascript-based that have criticality from low to severe levels.
Some of the instances of cross-site scripting are revealing cookies, alerting links to the attacker’s server or a phishing page, accessing web document properties, and storing the malicious payload permanently in the server.
Attackers do make use of a ready-made set of payloads, software that automates the attackers, and websites that store the attack history. These include BurpSuite, GitHub, and XSShunter.
How is an XSS vulnerability exploited?
When a user finds any section in a website that requires user input, the chances are that XSS can be exploited there. For example, if there is a search bar that asks you to request searches and the attacker inserts javascript code like ‘<script>alert(1)</script>’. If there are no security measures taken on the website, it should pop up ‘1’ on the website. In the same way, the attacker can exploit various scenarios with XSS.
Types of Cross-Site Scripting
There are three primary types of XSS attacks: reflected, stored, and Document Object Model (DOM) based on XSS attacks. Let’s dive more into it.
Reflected XSS
Also known as Non-Persistent or Type-II XSS.
It is considered one of the easy XSS attacks that can impact anywhere from low to critical. This attack occurs when an attacker searches client based inputs to inject payload. The website understands it as a proper implementable function and executes it if this input is not sanitized or appropriately encoded. The impact of this attack is reflected on the website, thus called reflected XSS.
This attack includes manipulating search boxes, URLs, submitting forms, and many such parameters.
Stored XSS
Also known as Persistent or Type-I XSS.
There is a straightforward explanation of Stored XSS. To explain it the best, imagine a scenario where an attacker injects a malicious JS payload while filling up an account profile. And every time you request to load that detail, you get the attack executed! When the code gets accepted, stored, and processed in the server through various inputs- say comments, forums, data fields, contact forms, to name a few, it becomes a case of stored XSS.
DOM-based XSS
Also known as Type 0 XSS.
DOM-based XSS is slightly different; however, it occurs when the vulnerability exists in the client-side/browser-based side of the application and is exploited on run-time. This XSS varies more than the above two because reflected, and stored types are server-side issues.
When a client-side script causes the DOM environment to reflect unexpected behaviour, we say DOM-based XSS is exploited.
Practising Cross-Site Scripting
You can practice various types of XSS attacks by following the steps that we mentioned below.
- Please make a list of payloads (resources) such as a cheatsheet and implement them using tools such as XSS Hunter and Burp Suite.
- Various labs let you try web application penetration testing, such as PortSwigger, DWVA, and GitHub repositories.
- If you’re someone into bug bounty, large organisations arrange bounties for finding critical vulnerabilities like XSS.
Cross-Site Scripting- Prevention Tips
So the fundamental concept here is that XSS manipulates the same-origin policy.
To prevent XSS attacks from happening, here are the things that the developers can do.
- Ensure that all the inputs are adequately sanitised. An attacker trying to submit a code snippet should be warned of an unrecognized character pattern instead of accepting it.
- Implement Content Security Policy is a header or a meta tag implemented to overcome multiple types of attacks, including Clickjacking and XSS.
- HTML Encoding the input can code certain symbols essential to the javascript syntax to make it unexecutable. For example, after encoding, the ‘<’ and ‘>’ symbol turns to ‘<’ and ‘>’ respectively. However, just that is not enough. We also need to implement Data Validation to understand what is required and fed by the user.
- X-XSS Header is a response by the server to prevent reflected XSS attack execution on detection.
- Implement HTTPOnly Cookie Flag to control and restrict the client-side script from accessing the sensitive cookies that need to be protected.
Conclusion of the Topic
The topic of Cross-Site Scripting (XSS) attacks and prevention tips comes to its concluding point. We hope that your knowledge on this topic was enlightened to understand the vulnerability from the developers’ point of view by now.
XSS is a type of vulnerability that can also pave the way for other severe vulnerabilities, the worst of them being account takeovers, website defacement, and transferring a malware/trojan to the system.
Other nominal impacts include hijacking a session, stealing login credentials, and phishing other website users.
Thus, we request you take due measures in securing your digital assets from XSS attacks and beware of any such attempts to your account.
Author Bio: This article has been written by Rishika Desai, B.Tech Computer Engineering graduate with 9.57 CGPA from Vishwakarma Institute of Information Technology (VIIT), Pune. Currently works as Threat Intelligence Researcher in CloudSEK. She is a good dancer, poet and a writer. Animal love engulfs her heart and content writing comprises her present. You can follow Rishika on Twitter at @ich_rish99.