What is Cross-site Scripting (XSS)?

What is Cross Site Scripting (XSS)?

XSS, or cross site scripting, is a type of attack on a web application that allows an attacker to compromise the visitors of the infected web application. By exploiting XSS vulnerability, an attacker can inject malicious scripts on a page of the infected web application. These scripts get executed when a user loads the infected page. On the BreachLock cloud platform, it is one of the most commonly identified vulnerabilities in web applications, and XSS is also listed as one of the Top 10 OWASP web application vulnerabilities.

If an XSS attack is successful, an attacker can:

• Gain unauthorized access to cookies, session IDs, and passwords of a victim
• Read and access all the information displayed to a victim
• Compromise or modify the content being shared with a victim

Example of XSS Attack

Consider that your web application is based on PHP, and there is a search box. The piece of code given below is used when there is no search result, and the web application says, “Could not find any pages when searching for user_query.”

Essentially, this will output the user’s search query straight into the HTML document and if the search query contains HTML, the user’s browser will render it.consider that the attacker sends a link like the one given below to the victim via social media sites, free download websites, or phishing campaigns.

When a user clicks on this link, the search box will search for
If the web application does not have input validation, the user’s browser will render
And accordingly, HTML injected by the attacker will be executed. It contains a script tag that evaluates JavaScript. This JavaScript, in turn, sends the user’s cookie to a third-party website of the attacker.

How can it be mitigated?

Mitigating XSS vulnerabilities significantly depends upon the context, and no patch can completely deal with this issue. However, multiple steps can be taken to reduce the chances of such an attack.

HTML Body

Here, Bad_script is the search query of a user.

HTML Attributes

To prevent the creation of other attributes, convert the untrusted user input to HTML entities as discussed above. While the web application is being developed, do not allow any user data into parameters such as.

Untrusted URL

Trusted URLs can be whitelisted and when the user search query comes as an input, it can be run through URL library. Also, JavaScript must be blocked from running by using a protocol handler.

GET Parameter

Encoding of user data helps in preventing the use of ampersand as it will lead to parameter pollution issues.

CSS Value

Encode the user input using CSS hex.

JavaScript variable

Prevent line breaks and put quotes around the variable (i.e., user input) and hex encode.

DOM XSS

Use input sanitization by utilizing the inbuilt libraries in PHP, or any other language which your web application is coded.

Detect and Remediate Common XSS Vulnerabilities

XSS vulnerabilities are common, especially in web applications. For more information on how to find and remediate web application links, one of the most common XSS vulnerabilities discovered by BreachLock pentesters, check out this technical article on How to Fix XSS Vulnerabilities in web app links.
If you suspect that your organization is vulnerable to  (XSS) attacks, schedule a call with breachlock team nd we ensure that any user-supplied data that is included in your web pages is properly encoded to prevent it from being interpreted as executable code by the browser.

Author

Ann Chesbrough