What is Cross-site Scripting?

Cross-site scripting (XSS) is a web security issue that sees cyber criminals execute malicious scripts on legitimate or trusted websites.

In an XSS attack, an attacker uses web-pages or web applications to send malicious code and compromise users’ interactions with a vulnerable application. These types of attacks typically occur as a result of common flaws within a web application and enable a bad actor to take on the user’s identity, carry out any actions the user normally performs, and access all their data. For example, if a user has privileged access to an organization’s application, the attacker may be able to take full control of its data and functionality.

The malicious script that exploits a vulnerability within an application ensures the user’s browser cannot identify that it came from an untrusted source. As a result, the attacker is able to access cookies, session tokens, and any other sensitive data the browser collects, or even rewrite the Hypertext Markup Language (HTML) content on the page. The website or application that delivers the script to a user’s browser is effectively a vehicle for the attacker. Popular targets for XSS attacks include any site that enables user comments, such as online forums and message boards.

How Does XSS Work?

XSS works by exploiting a vulnerability in a website, which results in it returning malicious JavaScript code when users visit it. The execution of malicious code occurs inside the user’s browser, enabling the attacker to compromise the victim’s interaction with the site.

Any web page or web application that enables unsanitized user input is vulnerable to an XSS attack. XSS attacks can occur in various scripting languages and software frameworks, including Microsoft’s Visual Basic Script (VBScript) and ActiveX, Adobe Flash, and cascading style sheets (CSS). However, they most commonly occur in JavaScript, which is the most common programming language used within browsing experiences. 

An XSS attack is typically composed of two stages. The first is a method they use to inject malicious code, also known as a payload, into the web-page the victim visits. This is only possible if the target website directly allows user input on its pages. If so, the attacker injects the malicious code into the page, which is then treated as source code when the user visits the client site. 

The second stage is for the victim to visit the intended website that has been injected with the payload. To achieve this, attackers often use social engineering techniques or launch a phishing attack to send the victims to the malicious website.

What Can Attackers Do with JavaScript?

JavaScript is commonly used in tightly controlled environments on most web browsers and usually has limited levels of access to users’ files or operating systems. As a result, there is a common perception that XSS vulnerabilities are less of a threat than other injection attacks, such as Structured Query Language (SQL) injection, a common technique that can destroy databases.

However, attackers can exploit JavaScript to dangerous effect within malicious content. Examples include:

  1. Malicious JavaScript can access any objects that a web-page has access to, such as cookies and session tokens. By obtaining a session cookie, the attacker can impersonate a user, perform actions while masquerading as them, and access their sensitive data.
  2. JavaScript can read and modify a browser’s Document Object Model (DOM) but only on the page it is running on.
  3. JavaScript can be used to send Hypertext Transfer Protocol (HTTP) requests via the XMLHttpRequest object, which is used to exchange data with a server.
  4. JavaScript has access to HTML 5 application programming interfaces (APIs). This means it has access to a user’s files, geolocation, microphone, and webcam. 

Combining this information with social engineering techniques, cyber criminals can use JavaScript exploits to create advanced attacks through cookie theft, identity theft, keylogging, phishing, and Trojans. XSS attacks can therefore provide the foundations for hackers to launch bigger, more advanced cyberattacks. 

Types of XSS Attacks

There are several types of XSS attacks that hackers can use to exploit web vulnerabilities. Some of the most popular include reflected XSS, stored XSS, and DOM-based XSS.

Reflected Cross-site Scripting

Reflected XSS, also known as non-persistent XSS, is the most common and simplest form of XSS attack. The hacker’s payload must be included in a request sent to a web server and is then included in the HTTP response. This method is used by attackers to lure victims into making requests to servers by sending them malicious links and phishing emails. 

Reflected XSS is a non-persistent form of attack, which means the attacker is responsible for sending the payload to victims and is commonly spread via social media or email.

Stored Cross-site Scripting

Stored XSS, or persistent XSS, is commonly the damaging XSS attack method. The attacker uses this approach to inject their payload into the target application. If the application does not have input validation, then the malicious code will be permanently stored—or persisted—by the application in a location like a database. In practice, this enables the attacker to enter a malicious script into user input fields, such as comment sections on a blog or forum post.

The attacker’s payload is served to a user’s browser when they open the infected page, in the same way that a legitimate comment would appear in their browser. Victims inadvertently execute the malicious script when they view the page in their browser.

DOM-based Cross-site Scripting

DOM-based XSS is a more advanced form of XSS attack that is only possible if the web application writes data that the user provides to the DOM. This data is then read by the application and sent to the user’s browser. The attacker can inject their payload if the data is not handled correctly. The payload is stored within the DOM and only executes when data is read from the DOM.

These XSS attacks are usually client-side and the payload is not sent to the server, which makes it more difficult to detect through firewalls and server logs. Manipulated DOM objects include Uniform Resource Locators (URLs) or web addresses, as well as the URL’s anchor and referrer parts.

How To Find XSS Vulnerabilities

Finding XSS vulnerabilities is not an easy task. They are often dependent on the type of XSS vulnerability, the user input being exploited, and the programming framework or scripting language involved. However, most XSS vulnerabilities can be discovered through a web vulnerability scanner. 

XSS vulnerabilities can easily be introduced at any time by developers or by the addition of new libraries, modules, or software. It is important to regularly scan web applications for anomalies, unusual activity, or potential vulnerabilities.

How To Prevent XSS Vulnerabilities

There are some general principles that can keep websites and web applications safe for users.

  1. Risk awareness: It is crucial for all users to be aware of the risks they face online and understand the tactics that attackers use to exploit vulnerabilities. Organizations must ensure that their employees remain aware of this by providing regular security training to keep them on top of the latest risks they face online.
  2. Trust no user input: Treating all user input as if it is untrusted is the best way to prevent XSS vulnerabilities. Any user input introduced through HTML input runs the risk of an XSS attack, so treat input from all authenticated or internal users as if they were from unknown public users.
  3. Use escaping and encoding: Escaping and encoding are defensive security measures that allow organizations to prevent injection attacks. They are available for all programming and scripting techniques, such as CSS escape, HTML escape, JavaScript escape, and URL escape. Use these libraries wherever possible, and do not write custom techniques unless it is absolutely necessary.
  4. Use HTML sanitizers: User input that needs to contain HTML cannot be escaped or encoded because it would break the valid tags. In this event, it is important to use an appropriate and trusted sanitizer to clean and parse the HTML.
  5. Set HttpOnly: Setting the HttpOnly flag for cookies helps mitigate the effects of a possible XSS vulnerability. Doing this means that cookies cannot be accessed through client-side JavaScript.
  6. Use Content Security Policy (CSP): CSP is a response header in HTTP that enables users to declare dynamic resources that can be loaded based on the request source. This can also help mitigate the consequences in the event of an XSS vulnerability.

How Fortinet Can Help

The Fortinet FortiWeb web application firewall (WAF) helps organizations prevent and detect XSS attacks and vulnerabilities. The Fortinet WAF protects business-critical web applications from known threats, new and emerging attack methods, and unknown or zero-day vulnerabilities. It safeguards organizations' rapidly evolving attack surfaces, which change every time they deploy a new feature, update an existing feature, or expose or launch new web APIs. 

FortiWeb WAFs also enable organizations to use advanced features that enhance the protection of their web applications and APIs. These features offer a multi-layered approach to protecting organizations from threats, including the Open Web Application Security Project’s (OWASP) Top 10 web security risks. Furthermore, FortiWeb uses machine learning to customize protection for every application, which ensures robust protection without the time-consuming process of manually tuning web applications. This also allows organizations to quickly spot anomalous behavior and block malicious bot activity.

FortiWeb can be deployed to protect all business applications, whether they are hardware appliances, containers in the data center, cloud-based applications, or cloud-native Software-as-a-Service (SaaS) solutions.

FAQs

What is Cross-site Scripting?

Cross-site scripting (XSS) is a common form of web security issue found in websites and web applications. It sees attackers inject malicious scripts into legitimate websites, which then compromise affected users’ interactions with the site. 

If a web application does not effectively validate input from a user and then uses the same input within the output for future users, attackers can exploit the website to send malicious code to other website visitors. In the event that an XSS vulnerability is exploited, an attacker can seize control of a user’s machine, access their data, and steal their identity. XSS attacks are often used as a process within a larger, more advanced cyberattack.

How does cross-site scripting work?

A cross-site scripting attack occurs when data is inputted into a web application via an untrusted source like a web request. The data is then included in content forwarded to a user without being scanned for malicious content. This content is typically sent to their web browser in JavaScript but could also be in the form of Flash, HTML, and other code types that browsers can execute. 

There are two stages to an XSS attack. The attacker first needs to inject malicious script into a web-page that directly allows user input, such as a blog or a forum. Stage two is for a victim to visit the affected website, which results in the malicious script being executed. Attackers often use social engineering or targeted cyberattack methods like phishing to lure victims into visiting the websites they have infected.

Common XSS attack formats include transmitting private data, sending victims to malicious web content, and performing malicious actions on a user’s machine. 

How to discover cross-site scripting

The most effective way to discover XSS is by deploying a web vulnerability scanner. These tools scan and crawl sites to discover vulnerabilities and potential issues that could lead to an XSS attack.

How to protect against cross-site scripting

Protecting against XSS comes down to awareness, following best practices, having the right security tools in place, and being vigilant to patching software and code. All users must be constantly aware of the cybersecurity risks they face, common vulnerabilities that cyber criminals are on the lookout for, and the tactics that hackers use to target them and their organizations.

It is key for any organization that runs websites to treat all user input as if it is from an untrusted source. Escaping and encoding techniques, HTML sanitizers, HttpOnly flags for cookies, and content security policies are crucial to mitigating the potential consequences of an XSS vulnerability being exploited.