When we think about cyberattacks, we often imagine complex, organized hacks on IT systems or network infrastructure belonging to large corporations or nation-states. In our Hollywood-influenced collective consciousness, hackers wear hoodies and they go after high-value targets with sophisticated attacks on network infrastructure and IT systems.
But while attacks like that do happen, the truth is that, like any criminal, hackers most often go for the easy target. And, more often than not, the easiest target is a vulnerable customer-facing website, where attackers can steal large volumes of consumer data.
One of the most prolific methods of attack against websites is the cross-site scripting (XSS) attack, wherein attackers load malicious scripts onto trusted websites in order to redirect the customer journey or steal data.
In this article, we’ll tell you what XSS attacks are, how they work, how they threaten businesses, and how you can protect your website against them.
What is cross-site scripting (XSS)?
How Do Cross-Site Scripting Attacks Work?
In the second step of the attack, XSS leverages the browser’s inability to distinguish this malicious script from legitimate markup, and the attacker’s malicious script executes. From there, the attacker can leverage the script to carry out a variety of attacks, like reading local storage, accessing cookies, including stealing personally identifiable information (PII), phishing, or distributing malware.
Why are XSS Attacks Dangerous to Your Business?
Cross-site scripting (XSS) attacks are so common that they’ve remained in the OWASP top 10 since their inception, but don’t underestimate them as an unsophisticated threat.
In a basic XSS exploit, an attacker may simply steal session cookies, but this is still a theft of PII, and a major violation of privacy laws like the EU’s GDPR and California’s CCPA. And, since the theft takes place on your website, you are responsible.
If sensitive data, like healthcare records or bank transactions is involved, the impact could be even more serious.
These kinds of attacks not only bring regulatory penalties and threats of legal action, they can have disastrous implications on customer trust. In a recent survey, 87% of consumers said that they wouldn’t do business with a company that had a recent data breach.
What Are the Different Types of Cross-Site Scripting Attacks?
There are two primary kinds of XSS attacks, Stored attacks, and reflected attacks, as well as a third, less common variety called DOM-based attacks.
Stored XSS Attacks
Stored cross-site scripting attacks, also known as persistent XSS, occur when attackers inject a malicious script, or payload, onto an application or website so that it is permanently stored on the server, thus causing it to serve all future users the malicious code.
Because this method persists after the initial action from the attacker, stored XSS is the most popular form of cross-site scripting.
Blind XSS vulnerabilities are a variant of stored XSS attacks that occur when the attacker input is saved by the web server but executed elsewhere, whether in the backend of the application or in another application altogether. For example, if an attacker injects malicious code into feedback forms, the script will execute once the admin of the application opens the form.
Reflected XSS Attacks
Reflected cross-site scripting attacks or non-persistent XSS attacks occur when the payload is reflected off of a web application into a user’s browser. Typically this is done through a malicious link, which is embedded in a third-party website, such as in a comments section, and which initiates an XSS request to a vulnerable website to reflect the attack back to the user. While a reflected attack does not require the attacker to find a website with an XSS vulnerability, it will not work unless users click on the link, and thus has a lower success rate than stored XSS attacks.
DOM-Based XSS Attacks
DOM Based XSS or client-side XSS is an XSS attack in which the attacker modifies the DOM environment in the victim’s browser to execute the payload.
How Can You Prevent XSS Vulnerabilities?
Cross-site Scripting vulnerabilities are one of the most common web application vulnerabilities, but luckily, it’s typically easy to tell if your website is vulnerable to XSS attacks, and simple attacks can be addressed by basic best practices.
Manual Code Reviews and Pentesting
Code review is always necessary when building a web app or website. You should audit to source code manually to identify security vulnerabilities, and perform a penetration test to find further issues.
Specifically, you should identify code that outputs user input, and ensure that the output is properly sanitized. Any HTML output involving user input should be encoded, as should URLs be.
For those looking for guidance on code reviews, OWASP offers an in-depth guide on code reviews, complete with specific sections on XSS attacks.
Filtering User Inputs
A simple way to lower your chances for XSS attacks is to filter all user input to remove dangerous tags and attributes like <script>, <body>, <html>, etc. However, it is not advised to rely on filtering as your only defense against XSS attacks, as sophisticated attackers can leverage techniques like hex encoding, and Unicode character variations to bypass filters.
Use Escaping Techniques
Writing code for escaping user input is a time-consuming and tedious process, so it’s recommended to leverage existing libraries like OWASP ESAPI or Microsoft AntiXSS to build out your escaping capabilities.
Inject Code Yourself
If you suspect XSS vulnerabilities, you can often confirm them by manually injecting a harmless script to check if your browser will execute it. The alert() function suits this purpose well.
Use a Content Security Policy
A Content Security Policy (CSP) can also help mitigate XSS attacks. A CSP is an HTTP response header that lets you control what is allowed to load on your page, based on the request source.
Protect Yourself from XSS Attacks with Go-To-Market Security
There is no silver bullet against XSS attacks, it is an evolving problem that requires a multifaceted solution. The solutions above can help organizations secure their properties against XSS attacks, but cannot guarantee success.
OWASP recommends a defense in depth posture, also known as layered defense, in which multiple, redundant layers of security safeguards and risk-mitigation countermeasures are employed.
To prevent XSS incursions, it’s imperative to be aware of all code running on your website, especially third-party code. Security assessments should be performed regularly, systems should be patched, and vulnerabilities should be addressed. Client-side protection should also be considered to allow you to unilaterally block scripts from unapproved sources, audit new scripts in real-time, and block injection-based attacks.