- 817
- 220
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim’s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences.
Risks of XSS Vulnerabilities
If an attacker can abuse an XSS vulnerability on a web page to execute arbitrary JavaScript in a user’s browser, the security of that vulnerable website or vulnerable web application and its users has been compromised. XSS is not the user’s problem like any other security vulnerability. If it is affecting your users, it affects you.
Cross-site Scripting may also be used to deface a website instead of targeting the user. The attacker can use injected scripts to change the content of the website or even redirect the browser to another web page, for example, one that contains malicious code.
Why Can XSS be Dangerous?
XSS vulnerabilities are perceived as less dangerous than for example SQL Injection vulnerabilities. Consequences of the ability to execute JavaScript on a web page may not seem dire at first. Most web browsers run JavaScript in a very tightly controlled environment. JavaScript has limited access to the user’s operating system and the user’s files. However, JavaScript can still be dangerous if misused as part of malicious content:
Malicious JavaScript has access to all the objects that the rest of the web page has access to. This includes access to the user’s cookies. Cookies are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can impersonate that user, perform actions on behalf of the user, and gain access to the user’s sensitive data.
JavaScript can read the browser DOM and make arbitrary modifications to it. Luckily, this is only possible within the page where JavaScript is running.
JavaScript can use the XMLHttpRequest object to send HTTP requests with arbitrary content to arbitrary destinations.
JavaScript in modern browsers can use HTML5 APIs. For example, it can gain access to the user’s geolocation, webcam, microphone, and even specific files from the user’s file system. Most of these APIs require user opt-in, but the attacker can use social engineering to go around that limitation.
The above, in combination with social engineering, allow criminals to pull off advanced attacks including cookie theft, planting trojans, keylogging, phishing, and identity theft. XSS vulnerabilities provide the perfect ground to escalate attacks to more serious ones. Cross-site Scripting can also be used in conjunction with other types of attacks, for example, Cross-Site Request Forgery (CSRF).
What Are the Three Types of Cross Site Scripting (XSS) Attacks?
There are several types of Cross-site Scripting attacks: stored/persistent XSS, reflected/non-persistent XSS, and DOM-based XSS. You can read more about them in an article titled Types of XSS.
Reflected Cross-Site Scripting
Reflected XSS occurs when an attacker embeds a malicious script within a URL and tricks the victim into executing it, often by clicking a link. The vulnerable application echoes the same payload in its response sent to the user’s browser (hence “reflected” XSS) without storing it on the server (hence “non-persistent”).
Stored Cross-Site Scripting
Stored XSS involves the attacker injecting malicious code into a web application that saves the payload in a database or server file without executing it. The attack is only triggered when a user loads the compromised page. Because the same stored payload can affect multiple users, this method is also called persistent XSS.
DOM-Based Cross-Site Scripting
DOM-based XSS is a client-side vulnerability where the malicious payload is executed entirely within the browser by manipulating the Document Object Model (DOM) of a page. Such attacks are especially hard to detect because the payload never reaches the server and everything happens in the browser.
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim’s browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences.
Risks of XSS Vulnerabilities
If an attacker can abuse an XSS vulnerability on a web page to execute arbitrary JavaScript in a user’s browser, the security of that vulnerable website or vulnerable web application and its users has been compromised. XSS is not the user’s problem like any other security vulnerability. If it is affecting your users, it affects you.
Cross-site Scripting may also be used to deface a website instead of targeting the user. The attacker can use injected scripts to change the content of the website or even redirect the browser to another web page, for example, one that contains malicious code.
Why Can XSS be Dangerous?
XSS vulnerabilities are perceived as less dangerous than for example SQL Injection vulnerabilities. Consequences of the ability to execute JavaScript on a web page may not seem dire at first. Most web browsers run JavaScript in a very tightly controlled environment. JavaScript has limited access to the user’s operating system and the user’s files. However, JavaScript can still be dangerous if misused as part of malicious content:
Malicious JavaScript has access to all the objects that the rest of the web page has access to. This includes access to the user’s cookies. Cookies are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can impersonate that user, perform actions on behalf of the user, and gain access to the user’s sensitive data.
JavaScript can read the browser DOM and make arbitrary modifications to it. Luckily, this is only possible within the page where JavaScript is running.
JavaScript can use the XMLHttpRequest object to send HTTP requests with arbitrary content to arbitrary destinations.
JavaScript in modern browsers can use HTML5 APIs. For example, it can gain access to the user’s geolocation, webcam, microphone, and even specific files from the user’s file system. Most of these APIs require user opt-in, but the attacker can use social engineering to go around that limitation.
The above, in combination with social engineering, allow criminals to pull off advanced attacks including cookie theft, planting trojans, keylogging, phishing, and identity theft. XSS vulnerabilities provide the perfect ground to escalate attacks to more serious ones. Cross-site Scripting can also be used in conjunction with other types of attacks, for example, Cross-Site Request Forgery (CSRF).
What Are the Three Types of Cross Site Scripting (XSS) Attacks?
There are several types of Cross-site Scripting attacks: stored/persistent XSS, reflected/non-persistent XSS, and DOM-based XSS. You can read more about them in an article titled Types of XSS.
Reflected Cross-Site Scripting
Reflected XSS occurs when an attacker embeds a malicious script within a URL and tricks the victim into executing it, often by clicking a link. The vulnerable application echoes the same payload in its response sent to the user’s browser (hence “reflected” XSS) without storing it on the server (hence “non-persistent”).
Stored Cross-Site Scripting
Stored XSS involves the attacker injecting malicious code into a web application that saves the payload in a database or server file without executing it. The attack is only triggered when a user loads the compromised page. Because the same stored payload can affect multiple users, this method is also called persistent XSS.
DOM-Based Cross-Site Scripting
DOM-based XSS is a client-side vulnerability where the malicious payload is executed entirely within the browser by manipulating the Document Object Model (DOM) of a page. Such attacks are especially hard to detect because the payload never reaches the server and everything happens in the browser.