OWASP Top 10 : Cross-Site Scripting(XSS)

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.

OWASP Top 10 - A7: Cross-Site Scripting(XSS)

What is Cross-Site Scripting?

XSS is one of the major threat vectors in web application security, which is actually a scripting attack to hijack access. It allows an attacker to compromise the interactions that users have with a web application. XSS enables an attacker to inject client-side scripts(code) into web pages viewed by other users.

XSS bypasses the same-origin policy. The attack occurs when a victim user visits a web page or a web application that executes malicious code. That malicious code is then delivered to the user’s browser and executed on the client(victim) side, which can lead to the attacker accessing user’s cookies, exfiltration of sensitive data, taking control of an user’s session, running malicious code, or using victim’s data as a part of a phishing scam all while making it seem like coming from a legitimate source.

Sites that usually fall prey to XSS are the ones which accept and return data from users and the attackers exploit this interactive feature to interact with application’s processes by inserting malicious code(through scripts, urls and formdata) and disguising itself as a legitimate request and accessing the unauthorized data.

Types of XSS attacks

Stored(Persistent/Type1) XSS:- The most dangerous XSS attack of all three. Here the attacker injects the malicious content(payload) on the target web application itself through input fields like comments. The lack of input validation causes the malicious content(mainly javascript) to be permanently stored on the target’s server and later when a victim opens the affected webpage, the payload gets executed in the victim’s browser like a legitimate html code.

Reflected(Non-Persistent/Type2) XSS:- In this type of XSS, the payload has to be a part of the http request which is sent to the web server. In the reflected XSS scenario, the attacker inputs malicious content through the input field and that full input is immediately returned back as a response like error message without the input being validated safe to render in browser or stored. Attackers use malicious links, phishing emails etc to lure the victim and the script gets executed in the victim's browser. By that way the attacker gets access into the target web application through the user's session and the attacker can retrieve any data that the user has access to.

DOM based XSS(Type 0):- This is a combined variation of Stored and Reflected XSS. This vulnerability occurs in the Document Object Model, changes the DOM environment in the victim’s browser making the client side code contained in the page to execute differently due to malicious modification. In a DOM-based XSS attack, the malicious data does not touch the web server. Instead, it is being reflected by the JavaScript code, fully on the client side.

How do attacks due to XSS impact businesses?

It can lead to business reputational loss, trust loss and also questions the credibility of the application. With the XSS attack, the attacker can steal the user’s session, capture user’s login credentials, masquerade as a victim user, carry out the actions permissible for that victim user and access the user data, inject trojan into the website, key logging attacks and even perform a website defacement.

Past Victims:

XSS is considered as one of the easiest to execute and exploit vulnerabilities of the year 2019 &2020. Many major business giants had been affected in the past due to XSS few names include Ebay(e-commerce), Fortnite(gaming), British Airways, Newegg(e-commerce) etc which resulted in sensitive information like PII, PCI data being stolen.

How to prevent XSS attacks :

  • Always validate user input

  • Encode data on output

  • Use appropriate response headers like Content-Type and X-Content-Type-Options

  • Sanitize HTML

  • Set HTTP-Only flag

  • Use frameworks that automatically escape XSS by design, such as Ruby on Rails, React JS

  • Learn limitations of the framework which you use and appropriately implement security measure against an XSS vulnerability

  • Enable Content Security Policy as a defense in depth mitigating control against XSS

  • Use a Web Application Firewall

  • Avoid JavaScript URLs

Interested in learning how to know if your organization is vulnerable to XSS? Drop us a note now at sales@siemba.io