The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - A7: Cross-Site Scripting(XSS)
What is Cross-Site Scripting?
XSS is one of the major threat vectors in web application security, which is actually a scripting attack to hijack access. It allows an attacker to compromise the interactions that users have with a web application. XSS enables an attacker to inject client-side scripts(code) into web pages viewed by other users.
XSS bypasses the same-origin policy. The attack occurs when a victim user visits a web page or a web application that executes malicious code. That malicious code is then delivered to the user’s browser and executed on the client(victim) side, which can lead to the attacker accessing user’s cookies, exfiltration of sensitive data, taking control of an user’s session, running malicious code, or using victim’s data as a part of a phishing scam all while making it seem like coming from a legitimate source.
Sites that usually fall prey to XSS are the ones which accept and return data from users and the attackers exploit this interactive feature to interact with application’s processes by inserting malicious code(through scripts, urls and formdata) and disguising itself as a legitimate request and accessing the unauthorized data.
Types of XSS attacks
Reflected(Non-Persistent/Type2) XSS:- In this type of XSS, the payload has to be a part of the http request which is sent to the web server. In the reflected XSS scenario, the attacker inputs malicious content through the input field and that full input is immediately returned back as a response like error message without the input being validated safe to render in browser or stored. Attackers use malicious links, phishing emails etc to lure the victim and the script gets executed in the victim's browser. By that way the attacker gets access into the target web application through the user's session and the attacker can retrieve any data that the user has access to.
How do attacks due to XSS impact businesses?
It can lead to business reputational loss, trust loss and also questions the credibility of the application. With the XSS attack, the attacker can steal the user’s session, capture user’s login credentials, masquerade as a victim user, carry out the actions permissible for that victim user and access the user data, inject trojan into the website, key logging attacks and even perform a website defacement.
XSS is considered as one of the easiest to execute and exploit vulnerabilities of the year 2019 &2020. Many major business giants had been affected in the past due to XSS few names include Ebay(e-commerce), Fortnite(gaming), British Airways, Newegg(e-commerce) etc which resulted in sensitive information like PII, PCI data being stolen.
How to prevent XSS attacks :
Always validate user input
Encode data on output
Use appropriate response headers like Content-Type and X-Content-Type-Options
Set HTTP-Only flag
Use frameworks that automatically escape XSS by design, such as Ruby on Rails, React JS
Learn limitations of the framework which you use and appropriately implement security measure against an XSS vulnerability
Enable Content Security Policy as a defense in depth mitigating control against XSS
Use a Web Application Firewall
Interested in learning how to know if your organization is vulnerable to XSS? Drop us a note now at firstname.lastname@example.org