The Basics of Cross-Site Scripting (XSS)
What is Cross-Site Scripting?
Types of XSS
- Persistent – This type of XSS requires an attacker to locate a vulnerable web application and then inject a malicious code to be stored on the server. The malicious code is not executed immediately.
- Reflected – This type of XSS occurs when a malicious script is reflected off of a web application and/or site back to the browser of a user that trusted a web site they visited.
- DOM-Based (Document Object Model)– This type of XSS occurs when malicious code is being able to manipulate the page’s DOM. This attack is executed on the client side. This type of XSS is least common. Be aware that both persistent and reflected XSS types are executed on the server side.
Popular types of attacks with XSS
- Cookie/session theft
- To steal your current session and do things on your behalf.
- Redirection to a phishing web site
- To steal your credentials
- Execution of exploits discovered in a web browser
- Install malware on the PC
The simple test to check for reflected XSS
- Locate input fields
- Ex. A web form (First name, last name, etc)
- Create input data
- <script>alert(Vulnerable to XSS)</script>
- “Vulnerable to XSS” box reflected on the web page – if the page is vulnerable.
- This is just an alert box demonstrating that the application is vulnerable to XSS. This itself does not present any threat. However, think about what an attacker could do after discovering that particular web application/site is vulnerable to XSS. The limit is their creativity.
How to prevent XSS
Input validation – Validate user input using a blacklist or a whitelist on the server side. Client-side validation cannot be trusted as it can be easily bypassed.
Escaping – Conversion of characters to its escape sequence. For example, a “<” to be converted to “<”.
To conclude, I want to drive one very important point home – ALL data that is received by your application must be treated as it was coming from an untrusted source.