When we think of cyberattacks, we think about data breaches, viruses, and malware, but have you ever heard of cross-site scripting, aka XSS attacks? Probably not. Even though it’s one of the most notorious and common threats in web applications we use today. So what is it?
What is cross-site scripting (XSS)?
Cross-site scripting, or an XSS attack, is a type of injection attack. Attackers insert malicious scripts, typically written in JavaScript, into a trusted website. When other users visit the affected web page, unbeknownst to them, their browsers execute the injected scripts, thinking it's from a trusted source, leading to further dangerous cyberattacks.
Web applications often let users interact with web applications by submitting data through forms or other input fields. Hackers can exploit this vulnerability to inject malicious scripts if the application doesn't adequately validate and sanitize this user input.
XSS attacks pose significant risks, including financial loss, data breaches, compromised systems, damaged reputations, and legal consequences. Developers and website owners must implement robust security measures and set up tools like web application firewalls and unified threat management software to prevent XSS vulnerabilities.
How does cross-site scripting (XSS) work?
Let’s start by learning about the same-origin policy to understand how cross-site scripting attacks work.
Same-origin policy
The same-origin policy is an in-built security mechanism in web browsers that prevents data theft. For instance, content from one site is granted permission to use cookies and other resources on a user’s web browser. Per the same-origin policy, content from any URL with the same uniform resource identifier (URI), hostname, and port number also shares these permissions. If these three attributes differ, the site needs separate permission.
When the same-origin policy isn’t strictly enforced using web security measures like validation and sanitization of user input, it creates vulnerabilities in web applications.
Definition of validation and sanitization in web application security
-
Validation is the process of checking and certifying that user input meets the expected criteria defined by the application. It involves verifying the input data's format, length, type, and range to prevent malicious or unintended values from being accepted.
For example, if a web application expects a numeric input for a specific field, validation makes sure the provided input is a number and that it falls within the allowed range. - Sanitization or output encoding is the process of cleansing or modifying user input to remove any potentially harmful content. It involves applying specific filtering techniques to ensure user-generated content is treated as plain text and not executed as code by browsers.
Cross-site scripting attacks typically use JavaScript, but any client-side programming languages, like PHP, hypertext markup language (HTML), and .NET, also work.
The anatomy of cross-site scripting attack
Let's go through an example to understand how an XSS attack works:
Say there’s a web application with a comment section where users can post messages that are displayed on the website. However, the application’s comment section has a vulnerability that doesn’t properly validate or sanitize user input before it’s displayed.
An attacker identifies this and exploits the liability by injecting harmful JavaScript code into one of the webpages’ comment sections. They post a comment with the following content:
<script>
alert('This is a malicious cross-site scripting (XSS) attack, beware!');
</script>
Now, instead of treating the injected code as plain text, the unguarded application displays the comment on the website without proper encoding or validation. When other users visit the web page that has this comment, their browsers interpret the injected JavaScript code as part of the website's content and execute it.
As a result, an alert box pops up, displaying the message, "This is a malicious cross-site scripting (XSS) attack, beware!"
If that weren’t bad enough, the attack consequences could be much more severe, depending on the cyber criminal’s intentions. Threat actors may leverage the executed script to steal sensitive information, redirect users to phishing websites, log keystrokes, capture form submissions, or compromise the system by downloading and executing malware.
The consequence of cross-site scripting (XSS) attacks
Attackers can use XSS attacks to
- Redirect users to a harmful website
- Obtain keystrokes and access browser history and clipboard contents
- Infect the user’s device with other malware or even take over the victim's computer
- Steal the user’s login session token, mimic legitimate user, and interact with the application
- Force the user to send attacker-controlled requests to the web server and launch denial of service attacks
- Alter the content of a web application and use it to inject malicious ads
¿Quieres aprender más sobre Cortafuegos de Aplicaciones Web (WAF)? Explora los productos de Cortafuegos de Aplicaciones Web (WAF).
XSS attack vs. CSRF vs. SQL injection
It’s easy to confuse XSS with SQL injection and cross-site request forgery (CSRF) because all three exploit web application vulnerabilities. However, they are distinct web security threats and vary in their nature and the type of attacks they engender.
- XSS attacks inject malicious codes into a trusted website and cause the user’s web browser to execute it inadvertently.
- Cross-site request forgery tricks an authorized user by using social engineering techniques like phishing to make malicious requests on behalf of the user.
- SQL injection attacks inject malicious SQL code into the database layer of a web application to access data that wasn’t supposed to be shown.
.png)
History of XSS attacks
XSS vulnerabilities date back to the early days of the internet. As web pages became more interactive with the launch of JavaScript in 1995, developers began accepting user input through forms and other cooperative elements on web pages.
However, the developers didn’t effectively validate and sanitize the user input and exposed vulnerabilities that attackers could – and did – exploit. A team of Microsoft security engineers first coined the term “cross-site scripting” for these attacks, and over time, its definition expanded to include other types of code injection attacks.
Before 2005, most security researchers focused on other web security threats like buffer overflow attacks, worms, botnets, or viruses. That was until the infamous Samy worm on MySpace infected over one million users in 24 hours using an XSS attack, demonstrating its potential scale and impact.
Following the devastating blow, the cybersecurity community made laudable efforts to address the XSS vulnerabilities. But even then, it remains to be a persistent menace to the security of web applications. Major websites like Orkut, Youtube, Yahoo Mail, eBay, Amazon, Twitter, and Facebook have faced XSS attacks over the years.
3 major types of XSS attacks with examples
XSS attacks are generally classified into three major categories:
- Stored cross-site scripting attacks (persistent)
- Reflected cross-site scripting attacks (non-persistent)
- Document object model (DOM)-based XSS attacks
.png)
1. Stored XSS attacks (persistent)
Stored or persistent cross-site scripting occurs when a malicious script is permanently stored on the targeted web application’s server and presented to users who access a specific page. It usually happens when user input is not properly validated and sanitized before storage.
The damaging script is executed automatically when other users load the injected page. Since the payload is stored by the web server and then embedded in an HTML page provided to the user, this is called a stored XSS attack.
The most common example of stored XSS attack is unsanitized HTML codes that are posted as messages on online forums, visitor logs, or comment fields. Any user who clicks through to the page where the comment appears is affected by the attack, without scrolling down to the comment section or even clicking on it.
Recent stored XSS attack example
In February 2023, the WordPress security team found attackers had exploited a stored XSS vulnerability in one of the WordPress plugins called “Beautiful Cookie Consent” that had over 40,000 installations. Researchers figured out that hackers could add unsafe JavaScript to a website using the cookie to redirect users.
2. Reflected XSS attacks (non-persistent)
App developers have to watch out for these the most often. In a reflected XSS attack, a user gives an app input, and then, the non-persistent attack makes server-side scripts use that data immediately. The scripts utilize that info to show the user a web page, but the input hasn’t been properly sanitized.
It’s called a reflected cross-site scripting attack because the server immediately echoes the malicious payload as a response to an HTTP request from the unknowing victim.
For instance, a trusted web application called mybank.com has a search feature. It displays the users’ search query on the results page without proper validation and output encoding. An attacker could construct the following malicious URL to exploit this vulnerability:
https://mybank.com/search?q=<script>alert(‘/*harmful script stealing user session’);</script>
The attacker will then deliver this legitimate-looking URL to users via email or other neutral websites. Thinking it's from their bank website, one of the users clicks on the crafted link, and the hacker’s script is executed, and the victim is none the wiser.
Recent reflected XSS attack example
In May 2023, researchers found severe reflected XSS vulnerabilities in two of the most common WordPress plugins used to create custom fields on WordPress sites. Attackers could potentially exploit this instability to make a privilege escalation attack by tricking the privileged users into clicking a devious URL path.
3. DOM-based XSS attacks
DOM-based XSS attacks were first defined by web application security researcher Amit Klein in 2005. Document object mode is the object-oriented representation of a web page that supports dynamic content. DOM-based XSS attacks happen when hackers take advantage of DOM vulnerabilities. The web page doesn’t change, but the client-side code with the corrupting payload on DOM runs in the user’s browser.
DOM-based XSS attacks transpire entirely on the client side, in contrast to stored and reflected XSS attacks, which happen due to weak points on the server side.
Recent DOM-based XSS attack example
In November 2022, security researcher Justin Steven, found a vulnerability in a marketing widget provided by Gartner that could lead to DOM-based XSS attacks. Any website using the widget could be used to execute arbitrary JavaScript code in a user’s browser using this vulnerability by cyber criminals.
Other types of XSS attacks
Apart from the three major categories of XSS attacks mentioned above, several other variations of XSS attacks exploit specific vulnerabilities.
Self-XSS
Self-cross-site scripting is more of a social engineering attack wherein the intruder tricks the user into pasting a bad JavaScript into their own browser by themselves. They typically lure the victims in by posting a message that says the user will be able to receive some reward by copying and running certain code. In reality, the code allows the attacker to hijack the victim's account.
Mutation XSS
Mutation XSS or mXSS are made possible due to a vulnerability in the DOM property called innerHTML and the way the HTML code is parsed when delivering dynamic content. Hackers inject specially crafted malicious codes that appear safe, but mutate and become XSS attack vectors in the browser.
Blind XSS
A variant of persistent XSS attacks, blind cross-site scripting attacks result in malicious payloads being stored in a web application server only to be executed by the backend user or the application admin.
7 XSS attack preventive measures
Vulnerabilities continue to exist in many of our web apps, but researchers have proposed multiple XSS solutions, from simple static analysis to complex runtime protection mechanisms. A few of them are discussed here.
1. Web frameworks and secure coding libraries
Modern web frameworks and secure coding libraries provide a standard way to develop and deploy web applications on the internet without security-related design and implementation flaws. A developer might not have all the resources to properly implement safety features when building an app from scratch. Working with secure coding libraries and web framework tools help avoid any security gaps or errors in code.
2. Input validation and output encoding
Input validation and output encoding are key defense techniques against XSS attacks. Input validation ensures user-generated content is in the expected format and rejects or neutralizes any data that doesn’t match the criteria.
Output encoding sanitizes any special characters in the unfamiliar user-generated input so they will be interpreted as plain text. This confirms the web browser doesn’t register user input as markup or JavaScript code under any circumstances. Both these techniques prevent security vulnerabilities that XSS can exploit.
3. HTML sanitization
A number of web application developers use what you see is what you get (WYSIWYG) editors to create text and video content for their web pages in HTML language. In these cases, it becomes important to sanitize the HTML codes to protect against XSS attacks.
HTML sanitization permits basic HTML tags like <b>, <i>, <u>, <em>, and <strong>. At the same time, it removes more advanced tags like <script>, <object>, <embed>, and <link> that can be used to inject malicious codes.
The Open Source Foundation for Application Security (OWASP), a leading security community, recommends using DOMPurify for HTML sanitization.
4. Cookie security
Since XSS and other cyberattacks target web cookies, it's important to implement proper cookie security. You can do this by using cookie attributes like the “secure” flag and “HttpOnly” to affirm the cookies are transmitted only via a secure connection.
5. Content security policy (CSP)
CSP is an additional layer of defense for website owners against XSS and other cyber threats like clickjacking and code injection attacks. It defines and restricts the sources from where web browsers can load content, such as scripts, stylesheets, or images, and the URLs from where it can be loaded. CSP stops malicious codes from being executed by specifying trusted sources and blocking or limiting content.
6. Security testing
Regular security testing, including vulnerability scanning and penetration testing, classifies and addresses XSS vulnerabilities. Manual code reviews, vulnerability scanners, and software testing tools with automation can be a part of your routine to detect potential weaknesses and measure the effectiveness of preventive techniques against XSS.
Explore the 5 best penetration testing tools and see which ones best suit your needs!
7. Web application firewalls (WAF)
WAFs are the most common cybersecurity software for protecting web apps against XSS and SQL injections. They monitor and filter incoming traffic and employ analysis to block any abnormal requests to the application and deny malicious script injection.
Top 5 web application firewall (WAF) tools:
- Azure Web Application Firewall
- AWS WAF
- Imperva Web Application Firewall (WAF)
- Cloudflare Spectrum
- Symantec Web Application Firewall and Reverse Proxy
*Above are the five leading WAF solutions from G2’s Summer 2023 Grid® Report.
Security software like unified threat management (UTM) platforms also effectively protects against XSS attacks by integrating multiple security features.
Cross-site scripting: Frequently asked questions (FAQs)
1. What is cross-site scripting?
Cross-site scripting (XSS) attacks web application security vulnerabilities that allow hackers to inject malicious scripts into web pages. These scripts steal sensitive information, manipulate user interactions, or deliver malware.
2. Which language is used in cross-site scripting attacks?
Any client-side programming languages like Javascript, HTML, VBScript, or Flash can be used to write malicious codes in cross-site scripting attacks. But Javascript and HTML are the most commonly used for XSS attacks.
3. What are the three types of cross-site scripting attacks?
Three main types of XSS are stored XSS, reflected XSS, and DOM-based XSS.
4. What is the difference between XSS and CSRF?
XSS injects and executes malicious scripts on a user's browser, while CSRF focuses on exploiting the trust placed in a user's authenticated session to perform unauthorized actions on their behalf.
5. What is the difference between XSS and SQL injection?
XSS attacks target the website's users. SQL injection focuses on the website's data storage and retrieval mechanisms.
Defending the digital realm
Today, the world runs on apps. Cross-site scripting remains a dangerous security vulnerability. It exposes web users to remote access, data theft, and monetary losses. But with proper awareness and preventive measures, its impact can be mitigated if you can help script a safer web if you implement the preventive measures shared here.
Want to write more secure codes? Learn about secure code training software and how it helps developers and programmers.
Soundarya Jayaraman
Soundarya Jayaraman is a Content Marketing Specialist at G2, focusing on cybersecurity. Formerly a reporter, Soundarya now covers the evolving cybersecurity landscape, how it affects businesses and individuals, and how technology can help. You can find her extensive writings on cloud security and zero-day attacks. When not writing, you can find her painting or reading.
