Cross-site scripting (XSS)

Cross-site scripting (XSS)

Cross-site scripting we known as XSS is a one of famous web security vulnerability which facilitates attacker or the hacker to compromise users those who are working with vulnerable applications. Basically it allows an attacker to run their bad script or malicious code on our web browser or the web application. XSS usually allows access to victim user data or performs any action which belongs to a victim user within his premises but in this case, the attacker pretends to be a victim user so the user does not feel anything strange. Then attacker my ability to get full access or damage users’ profile.

Types of XSS attacks

Reflected XSS – The attacker will be able to send the malicious data along with the HTTP request.

XSS | Cross site Scripting | Attack

The above image shows how does it work, basically what happens is attacker operate a vulnerable application which can send malicious code or script to the users. Once the user clicks, it able to run his web browser.

Stored XSS – Those are saved in the websites’ database itself and perform when the user accesses the website.

E.g: https://bulnerable-ecomercesite.com/api/users – POST/PUT
{
“id”:”0001″,
“name”:”Bhanuka”,
“age”:”27″
}

In this case, the attacker able to send a request with some java scripts through data over API requests such as POST or PUT. If he sends an alert it will save to Database and execute in the web browser.

<script>alert("You have been attacked!")</script>

DOM-based XSS – It will attack the client-side rather than server-side if vulnerabilities exist.

In this case, the attacker is trying to change the content of client-side scripts that are processed through unsecured sources. The following example shows the reading and writing script in client-side javascript.

var price = document.getElementById('price').value;
var discount = document.getElementById('discount');
discount.innerHTML = 'Your last price is : ' + price*discount;
var search= document.getElementById('search').value;
var result= document.getElementById('result');
result.innerHTML = 'You are looking for /* some script or content*/;

Here also an attacker can change the value of the input field. He can very easily put some malicious code there.
Your last price is: 00.001$
You are looking for adults site

What is the purpose doing of XSS

  1. Pretend to be the victim user.
  2. Read any data that the user is able to access and perform actions.
  3. Capture the user’s sensitive data like credentials or bank details.
  4. Perform virtual defacement in the client web browsers.
  5. Inject Trojan functionality into the web site or the clients.
  6. Inject Ransomware into clients’ computers.
  7. Redirect to unwanted websites for business purposes.
  8. Social engineering.

How to find XSS vulnerabilities in our application

In my experience, I used some commercial tools like Appspider (for dynamic code analysis) and Checkmarx (for static code analysis) to identify the vulnerabilities in my applications. Please read them on how to create a scheduler to be scanned your applications.

Preventing XSS attacks

Filter input – When the time of request comes to your application you can validate the data whether it is under your conditions or not. For best practices, you can validate your rest endpoint with DTO (data transfer object) or you can use escapeHTML from Apache.

Use suitable response headers – Use Content-Type and X-Content-Type-Options headers if you are not planning to contain HTML or JavaScript along with your HTTP response.

Output data Encoding – You can use HTML encoding mechanism to this.

Support from tools – Use some tools like Checkmarx or Appspider before you publish your web application. It can be helped to identify 100% of areas that can be attacked by Cross-site scripting attacks.