What is XSS? Concerned User’s Guide to Cross-Site Scripting

cross site scripting

Cross-site scripting is one of the prominent nightmares of every security-conscious web application developer. The term was coined twenty years ago by Microsoft security engineers, but the first vulnerabilities of its kind were observed in the mid 1990s. The acronym XSS was chosen so it does not get interchanged with the Cascading Style Sheets language, which adds styles to webpage contents. It covers a very old class of security vulnerabilities, which cannot be found in today’s systems. In those days it was possible to place content from a foreign resource to a website by using frames. The content could then be accessed using JavaScript. Present day vulnerabilities that fit into this category are more accurately named “script injection”. 

The XSS attack abuses possibilities to insert user input in trusted web applications, which the applications process for output. These include forum posts, comments, and web requests among others. When the input is not sanitized properly, there is a possibility for code injection. This way the attacker is able to make the website send browser side script to their victim, while the victim’s browser accepts and executes the script, since it came from a trusted source. The most common scripting language used is JavaScript, but the attack can be executed using VBScript, ActiveX, Flash, or CSS. A recent study by Symantec claims that more than half of websites are susceptible to XSS attacks 

The attacker can achieve a wide variety of goals by abusing an XSS vulnerability. He could make the victim’s browser send sensitive data including cookies and session information, personally identifiable information, or redirect the victim to a malicious webpage. He may gain access to the victim’s webcam, location, microphone and specific parts of their file system. The XSS attack can also be used in combination with other techniques as a first step in advanced attacks aiming for malware distribution, identity theft, and other malicious goals. 


Penetration Testing 

If you are unsure about safety of your web assets, LIFARS can help you with testing for potential XSS vulnerabilities. 


XSS attacks are generally distinguished into three basic categories. 

Stored XSS (Type I) 

When user input is stored on the vulnerable server in form of a database entry, comment, visitor log, user nickname, customer details or similar, while it is improperly sanitized, the attacker may be able to place a malicious script as a part of the entered data.  When an unsuspecting user views the website, their browser executes the script while rendering webpage contents. 

Reflected XSS (Type II) 

When a web application contains user parameters in the URL (after the question mark “?”, e.g. https://www.example.com/index.php?username=Joe) and processes them without proper sanitization, the attacker may craft a parameter that contains a malicious script. It can be obfuscated, so the victim is not alarmed. Such crafted URL link may be sent to the victim by email, or posted on a forum. After the victim clicks on the link, the webpage will send the malicious code to their browser. Since the data came from a trusted domain, the browser will execute the code. 

DOM-based XSS (Type 0) 

Document Object Model-based XSS attack can be performed with a maliciously crafted URL link. JavaScript in the victim’s browser takes the malicious input, and passes it without check to a function (sink), which dynamically executes code. The attack is similar to the reflected XSS, with the distinction that it happens only within the victim’s browser. 

OWASP categorizes these overlapping three sets further into Client XSS and Server XSS. The former considers untrusted user input used to update DOM, while the latter considers the input being included in a server generated HTML response. 

To prevent XSS attacks the web application has to sanitize all user input properly. This is not an easy task, since the attackers are creative in ways to avoid these controls. If you are unsure about safety of your web assets, LIFARS can help you with testing them for potential XSS vulnerabilities.