Understanding Cross-Site Scripting

What is Cross-Site Scripting (XSS) 

Cross-site scripting is a type of injection attack where a malicious script is injected into benign or trusted websites. XSS attacks happen when hackers use web applications to send malicious code to a different end user. Organisations and companies running web applications can leave the door open for XSS attacks if they display content from users or untrusted sources without proper validation. 

Cross-site scripting usually occurs when an attacker tricks a web application into sending data in a form that a user’s browser is able to execute. XSS can be used to deliver malicious downloads, plugins and media content. It can also be used to steal identities in an application, redirect traffic or even introduce fake content into a corporate website. 

There are three subcategories of XSS 

1. Reflected XSS: This is the most common XSS vulnerability and occurs when a malicious script comes from the current HTTP request and the server doesn’t send back a safe response to the browser. The attack is only active during the specific request and requires the hacker to find a means of distribution i.e. email 
2. Stored XSS: This is where malicious script comes from a website's database and is a result of user input stored in the application. Stored XSS have the same impact as reflected ones, the only difference being an attack can place those into the application and then do not have to actively distribute the attack 
3. DOM Based XSS: DOM (Document Object Model) is where the vulnerability exists in client-side code rather than server-side code. DOM based attacks don’t need to interact with web servers, meaning that active defences, such as firewalls, are useless 

What are the Impacts of Cross-Site Scripting? 

The impact an XSS attack has generally depends on the nature of the application, its functionality and data, as well as the status of the compromised user. For Example: 

• In an application where all users are anonymous and all information is public, the impact will most likely be minimal 
• In an application containing sensitive data, such as emails, bank details, and medical records, the impact will definitely be serious 

How to Prevent Cross-Site Scripting 

Preventing XSS may be trivial in some cases but it can be much more difficult in some cases depending on the complexity of the application and the ways it handles user-controllable data.  

Preventing cross-site scripting is likely to include a combination of the following measures: 

• Applying input/output sanitation: When user input is received, filter as strictly as possible based on what is expected or valid input. Encode data on output  to prevent it from being interpreted as active content 
• Content Security Policy: You can use content security policy to reduce the severity of any XSS vulnerabilities that may occur 
• Penetration Testing: Ethical hackers can try and crack into your systems  to show you all of your network security flaws, and they can target potential vulnerabilities in ways not possible for a security program  

Cross-site scripting vulnerabilities are well known and easily exploitable however the best way to find flaws is to perform a code review and search for places where input from a HTTP request could possibly make its way into the HTML output.  

What can Securiwiser offer your Business? 

Securiwiser will provide your business with twenty-four hour monitoring of your devices, networks and website and will scan for any suspicious behaviour and abnormalities. Each aspect of your security posture will be graded based on how well it is performing, so you will always know where your security might need tightening. If any vulnerabilities are found you will be notified immediately and a report will be compiled outlining what the issue is and you will be given advice on how to remedy the problem or pointed in the direction of someone who can fix the problem for you.