22 Jun Cross-Site Scripting (XSS) Attacks
Cross-site scripting (XSS) is one of the oldest exploits on the Internet, emerging within months of Netscape’s 1995 release of the first Javascript-enabled web browser. More than two decades later XSS remains a significant threat, appearing as number seven on the Open Web Application Security Project (OWASP) list of the ten most critical web application security risks.
What is an XSS Attack?
XSS attacks are a type of injection where malicious code is inserted into otherwise benign code and then executes on an unsuspecting user’s computer. Any dynamic web application that accepts input from a user and then uses that input as part of future output (reflected input) is potentially vulnerable to an XSS attack.
Hypertext Markup Language (HTML), the language used to create web pages, makes it easy to include executable Javascript as part of the same code used to layout text, graphics and other features of a page. Normally, this feature provides a safe and efficient way for a developer to add functionality. However, if the application includes reflected input, and proper security best practices have not been followed, bad actors can take advantage of this embedded Javascript feature to transport and execute their malicious code.
Consider, as an example, a web form that collects comments from users, asking for information such as name, email address and a comment. After the user hits the Submit button, a new page loads that displays the information just entered and thanks the user for their comment. If instead of plain text, the user entered text that also included HTML with embedded Javascript, that Javascript would execute when the new page loaded.
Of course, most users are unlikely to hack themselves by including malicious code in their own form submissions! Much of the power of XSS attacks stems from their ability to defeat a key element of the web application security model known as same-origin policy. Here, bad actors take advantage of another “feature” of HTML and the related Hypertext Transport Protocol (HTTP) that allows including form data in the parameters sent along with a Uniform Resource Locator (URL). Using this method, the malicious code is actually stored in a link on a third party web page and sent to the web form when the user clicks on that link.
Why are XSS Attacks Dangerous?
There are many potential bad outcomes from a successful XSS attack. Bad actors can get instant access to user data that might include credit card numbers, account numbers, usernames and passwords. An XSS attack can also be part of a larger scheme that installs malicious code on the user’s system or redirects the user to a fake website where they are vulnerable to additional exploitation. Although the direct harm is generally suffered by the user, organizations hosting web applications that are leveraged for XSS attacks can see their reputations diminished and may lose customers due to the perceived breach of trust.
Defending Against XSS Attacks
Since XSS attacks are primarily taking advantage of websites that reflect input indiscriminately, the first line of defense against XSS attacks is to validate and sanitize form data before it is accepted. You should beware of simplistic solutions such as merely blocking inputs with HTML <script></script> tags, as these steps can be defeated. Instead, form elements should each be specifically validated. For example, email fields in a form should be configured to only accept properly formatted email addresses and reject all other input.
The second line of defense, when supported by the environment being administered, is to apply a process called escaping to any untrusted data before it is used as output. In escaping, certain text characters are replaced with an escape code to prevent Javascript or other code from accidentally executing. Two very common characters to escape are the greater than and less than symbols (< and >) that are used to bracket HTML tags. To sanitize untrusted text, these characters are replaced with the escape codes < and > respectively. The web browser recognizes these special codes and displays the proper character, but the risk of the web browser being confused and running untrusted code is eliminated.
Understanding cross-site scripting is an important component of your preparation for a variety of security certification programs. Think you have this concept mastered? Try your hand at a practice test question. If you’re interested in receiving weekly practice test questions and a guided approach to learning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam.
No Comments