Button1
chatbotAI FAQ Chatbot chat_svgHuman Agent

Cross Scripting Attack: How Does This Happen

Created by - Dhnesh Dhingra ,

Nov. 16, 2020, 5:07 p.m.

Cross Site Scripting usually termed as XSS is a type of vulnerability usually found in front end part of a website. As Surveyed by OWASP in 2020, it is one of the Top Five Attacks used by hackers to use on the User Website. In this blog, we would study how the attack occurs, the severity and how to keep your website safe from the attack.


History of the Attack:

XSS began in 1997 when a team of The Microsoft Security Response Center found some websites where targetted where some malicious image tags and scripts were injected into the html pages. After slowly knowing the severity of the attack, the team began its research and published a report explaining the vulnerability and given the name Cross Site Scripting (XSS)

 

How Does XSS Work:

Lets take an example. Below is a simple html page with "Hello World".
Means whenever a user open the link (http://localhost:8080/ in our case) the browser responds with rendering the below page

                    
                    

Now the application is dynamic and will welcome the users when given their name or username:

                        http://localhost:8080/Mike

 

                           
But now here lies the loophole the application does not authorize or encode users correctly in the backend. Ultimately, when your favorite JavaScript is added:

        http://localhost:8080/Mike<script>alert("Malicious Code")</script>

 

Now the page will alert the input query as shown in the browser below as Javascript is being executed successfully:


           

 

So whenever any attacker injects some malicious code or scripts on the website, these malicious JavsScript has access to all the objects that the html page has access to. This includes user's session and cookies. If one can get a user's session details, they can impersonate that particular user, can mimic on behalf of the user and ultimately have access to their sensitive data.

 

Types of XSS Attacks:


1. Reflected XSS - This is one of the commonly used attacks on the internet. The Attacker sends a malicious link to the user, users open them in the browser, the script in the code starts executing which has the code to take user's browser data and cookies and sends to attackers server or email. In this way the user's data is compromised. To conclude, It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.


                                                                              

 

2. Persistent XSS; Persistent or Stored XSS means that the payload is saved on the actual page, not in the request that is then reflected. The data is submitted to the application via HTTP Request and attached with the user's particular info. Means whenever that page is opened, the injected code from database interacts with HTTP Requests and compromises the user.

 

 

3. DOM XSS:
We all know the power of JavaScript. It can interact with HTML DOM, can change the DOM elements and modifies what you see in the browser. The data is read from the DOM by the website and outputted to the browser. So we can say, if that data is not encrypted or stored correctly, the attacker can inject a payload that will be stored as part of the DOM and executed when read back from the DOM.


How to Prevent Websites from Cross Scripting Attacks 


1. Validating Input-   Data can be in any form from the front-end users. As a developer, we should parse and at least validatestring. One can use libraries for validations and parsers. It's a common professional way of code development.


2. Sanitizing HTML-   HTML sanitization is the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated "safe" and desired. HTML sanitization can be used to protect against attacks such as cross-site scripting (XSS) by sanitizing any HTML code submitted by a user.

3. Enable CSP  -  Content Security Policy (CSP) is a security standard introduced to help prevent cross-site scripting (XSS) and other content injection attacks. By default it's disabled in the browsers. To implement CSP, you must define lists of allowed origins for the all of the types of resources that your site utilizes

4. Use a Content Security Policy -  The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. Content-Security-Policy: <policy-directive>; <policy-directive>