By Indusface Research Team
Cybercriminals are always on the move, looking for newer ways to exploit various websites and applications. We have mentioned several times, that their attacks are becoming more focused and sophisticated, but does this mean that they have stopped using the old and tested methods of attack? Not really. One of the most common examples of this is XSS. Cross-Site Scripting or XSS is one of the most eminent and prevalent web application layer vulnerability. Indusface’s study on the State of Application Security in India, related to an analysis of vulnerabilities data collected by Indusface Web, found that Cross-Site Scripting (XSS) tops the high vulnerabilities list. One would assume that if a vulnerability is well-known, people will be more equipped to deal with it and therefore be least affected by that particular vulnerability. Unfortunately, XSS has continued to infect many applications, including several well-known websites, despite being around as late as the 1990s. Is XSS extremely difficult to fix? Or is protecting against it impossible? Well, the case is neither of the above. Cross-site scripting is easy to find and easy to fix, and in spite of this, cross-site scripting has managed to grace the OWASP Top 10 list, by staying amongst the top 3 threats, 3rd time in a row.
What is Cross-Site Scripting (XSS)?
XSS or Cross-site scripting is a type of injection problem. XSS is a web application layer vulnerability but is different from other web application layer attacks in the sense that it does not attack the application or server, but the application user.
An XSS attack occurs when a malicious user is able to inject your website with malicious inputs. So basically, your website allowed a user to dynamically input data without properly validating it.
XSS attacks are of three kinds:
DOM Based XSS
You can read more about these on our blog “XSS – The Burning Issue in Web Applications”.
Is Underestimation of XSS causing trouble for big brands?
In early September, this year, security consultant Benjamin Mussler had warned that Kindle e-book library was vulnerable to a Cross-Site Scripting vulnerability. It came to light that Amazon was aware of this vulnerability and had fixed it earlier, but in July, Amazon introduced a new version of the “Manage Your Kindle” web application. It seems, that they re-introduced the vulnerability in this version, which surprisingly should have been fixed long ago. The cross-site scripting flaw allowed malicious users to inject the victim’s account through e-book metadata with malicious code, which would be executed as soon as the victim accessed Kindle Library Web page. The hackers could then access and steal the victim’s Amazon account cookies.
This came as a huge reputational blow to a company like Amazon, with experts raising concern on the fact that they ignored addressing this problem way earlier. Even though this problem affected only the user using free versions of e-books from random torrents or malicious websites, Amazon had to face a lot of heat for coming out as a vendor unable to keep its customer’s personal information secure.
The 3.9.3, 3.8.5 and 3.7.5 updates from WordPress addressed this XSS vulnerability.
How to protect yourself from XSS attacks
There are many ways in which a web application can be protected from XSS attacks:
For more information on this, please refer to our blog “Am I Vulnerable To ‘Cross-Site Scripting’ (XSS)?”
XSS is a very well-known vulnerability, which has been studied in depth by security researchers. It’s not very difficult to protect web applications against it, therefore instances of popular sites being compromised due to cross-site scripting attacks are extremely disappointing and websites should proactively act to protect themselves.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.