Over the past few months, there has been much talk about COVID-19 and what it means for businesses with employees working from home. Today, I thought I would change it up and get back to the basics of cybersecurity to talk about a type of attack that is very popular with web applications. This attack is known as XSS or Cross-site scripting.
What is XSS?
Cross-site scripting is a type of attack that a hacker or adversary might use on a web application where they manipulate the HTML code on the web page to insert a script that executes a payload. This happens when your computer tries to interact with the web browser you are on for the web application. Your computer believes that it is uploading a normal web page script that hasn’t been altered. Still, because the adversary was able to find a spot in the Html where they could inject malicious code, your computer will accidentally upload the modified code from the page. The malicious code then makes its way from the browser to your computer and inflicts the damage that the script was written to carry out. The types of payloads that the adversary could inject into the page can range from anything like worms or viruses to more severe things such as a script that could steal your credentials. These types of attacks are carried out in two different forms, which are either persistent or reflective XSS.
Persistent or stored XSS
As the name suggests, persistent or stored XSS is a type of cross-site scripting where the malicious script is put on the web page and remains unchanged or checked on the browser. To make these types of changes to the script, the adversary would need access to the source code of the page and access to the web servers. This type of attack is popular in message forums and comment communities because it requires the user to store data on the server by entering their comments, which allows the code to inject itself on the device.
Reflective or non-persistent XSS
Reflective XSS is a form of cross-site scripting that happens when the user is tricked into clicking a malicious link from a phishing email or other social engineering techniques. The link interacts with the web browser in a way that reflects the HTTP response to include the payload and execute the attack in the user’s web browser. Because of the way the attack is distributed out, this is the most popular way that an XSS attack is executed.
XSS Prevention and Discovery
The Open Web Application Security Project still rates XSS as a top ten web app vulnerability. We as users need to be aware that this vulnerability still exists, and has been around since the late 1990s. Even with certain vulnerabilities being around for so long, they are still hard to prevent. Despite this, there are three things developers can do to help prevent these things from ending up on their web browser.
- Validating inputs- This first recommendation is one that falls on the web developers. To validate their inputs, the application is rendering the correct data and preventing malicious data from being injected and causing harm.
- Sanitizing- This method is done when the site cleanses and scrubs user inputs to prevent it from having security holes or injections.
- Escaping- The final step a web application can take is to make sure they are escaping the data so that any data the user is seeing is secure before it renders it.
Like always, make sure if you ever receive an email from an outside source that you trust the source of where the information is coming from. It is very easy to fall victim to a phishing attempt, which can cause more than just XSS harm to your computer.
Written by Adam Voss
Adam Voss is a recent cybersecurity graduate from Maryville University with an emphasis on pen-testing. He works at TechGuard as a cybersecurity analyst and is eager to get into the field. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.