Cross Site Scripting(XSS)

What is Cross-Site Scripting?
Cross-Site Scripting (Known as XSS) is a widely used web application attack performed on the Application layer. An XSS attack is performed on the client-side (browser) and it targets the scripts, which are used on a particular web page. XSS is a threat caused by the weaknesses of scripting languages like JavaScript and HTML. An attacker exploits these weaknesses to manipulate the scripts used by the web application in such a way that its behavior can be changed to steal critical information of any user.
How does an XSS work?
An XSS comes in Picture when the application is accepting inputs from user and displays on webpages without any encoding or validation. XSS on a vulnerable web application allows an attacker to inject HTML or Javascript and steal critical information from the victim's browser such as session cookie. Please take a note that an attacker attacks on the user of a vulnerable web application, application cant be targeted via XSS.
When the user is able to inject HTML or JavaScript code via input and client or server is not able to encode it or validate it, injected code is executed by the browser. This will lead to information disclosure to an attacker which causes serious impact like account takeover of a victim.
What attacker can do by exploiting XSS?
As explained earlier, an attacker can manipulate the scripts on the vulnerable web application and steal critical information about the victim. This information can be anything used by the browser like the session cookie. If an attacker will have the session cookie, he can perform any operation on the user's account like change password, change email, etc. This will lead to account takeover and temporary or permanent Denial of Services(DoS).
Which information can be disclosed by exploiting an XSS?
·      Session Cookie: if the HTTPOnly flag is not set
·      CSRF Tokens: if stored on Web Page
·      Personal information like SSN Number, Bank Account Number: if stored on Web Page
·      The contact information like mobile number or email address: if stored on Web Page
·      Third-Party API Keys: if stored on Web Page
·      Application related information: for example, friend list on social network site
·      Local Storage of browser: Many application uses local storage to store session or SCRF tokens
What are the types of XSS?
·      Persistent(Stored) XSS: When any parameter which is stored in the database is vulnerable to XSS, XSS payload is also stored in the database and will be reflected whenever that parameter is displayed on the web page. This is the most severe type of XSS. Here are the example parameters: name, comment, message, about me, etc.
·      Non-Persistent(Reflected) XSS: As the name indicates, here payload is not stored in the database but the payload is reflected from the user's input or URL of a webpage. The example parameter is "search string".
·      DOM-based XSS: This kind of XSS is reflected when the payload is executed in the DOM environment. An Attacker applies via URL or GET parameters to the vulnerable script of an application and that payload is executed when that vulnerable script is executed.
Example:
Suppose an application is asking the user to add his biodata for his public profile. An attacker can provide the following payload to the biodata parameter.

<script>alert(document.cookie);</script>

In this scenario, the payload will be saved on the database as biodata of the user(Attacker). Whenever any user will visit the profile of this user(Attacker), the script will be executed bu the browser. An attacker can provide any malicious script to get the desired information.
How to prevent XSS?
A developer can use a proper validation structure, encoding and escaping to avoid persistent and non-persistent means stored and reflected XSS. The web application should validate each input parameter not only the client-side but the server-side as well.
A DOM-based XSS can be avoided by proper use of scripting languages and by following some basic rules, which will be explained in later blogs. Stay tuned to get more about each type of XSS.

0 Comments

Oldest