Cross-site scripting (XSS) attack


Cross-site scripting (XSS) attack

Remote Command Execution (R.C.E) vulnerability
6 new vulnerabilities with D-Link home routers allow hackers to launch remote attacks

Nowadays it is more appropriate to think about websites because online apps do a lot more work than old static pages. This robust functionality is very much due to the widespread use of the JavaScript programming language. JavaScript allows websites to do pretty much the same thing, which also introduces new and unique vulnerabilities – one of the most important threats of cross-site scripting (XSS).

What is Cross-Site Scripting (XSS)?

Cross-site scripting, commonly known as XSS, occurs when hackers run malicious JavaScript into a victim’s browser.

Unlike remote code execution (RCE) attacks, the code runs in the user’s browser. After the initial injection, the site is usually completely out of control by the attacker. Instead, the bad actor adds its malicious code to a legitimate website, especially when the site is loaded so that browsers can run their malware.

Use of JavaScript in cross-site scripting

JavaScript is a programming language that works on the web pages in your browser. This client-side code adds functionality and interactivity to the web page and is widely used in all major applications and CMS platforms.

Server-side languages ​​such as PHP and JavaScript code in your browser may not affect the website for other visitors. It can only work in the sandbox for your own navigator and in your browser window.

This is useful for making background requests interact with the server, even if the JavaScript is on the client side and does not run on the server. These background requests can be used by attackers to add unsolicited spam content to a web page without refreshing, to collect analytics about the client’s browser, or to work asynchronously.

How do cross-site scripting attacks work?

When attackers enter their own code into a web page, this can usually be achieved by using a vulnerability in the website’s software, which injects their own script, which is executed by the victim’s browser.

As JavaScript runs on the victim’s browser page, sensitive details about the authenticated user are stolen from the session, especially allowing the bad actor to target the site administrator and compromise the website completely.

Another popular use of cross-site scripting attacks is when vulnerability is available on the publicly available pages of a website. In this case, attackers may inject website visitors with their own code by adding their own ads, phishing signals, or other malicious content.

What are the types of cross-site scripting attacks?

Now that we’ve covered the basics, let’s go a little deeper. Depending on their goals, bad actors can use cross-site scripting in many ways. Let’s look at some common types of attacks.

Stored (continuous) cross-site scripting

Cross-site scripting attacks occur when attackers store their payload on a compromised server, causing the website to distribute malicious code to other visitors.

This method requires only initial action from attackers and can later compromise many visitors, making it a very dangerous and commonly used type of cross-site scripting.

Examples of stored cross-site scripting attacks are profile fields, such as your username or email, which are saved on the server and displayed on your account page.

Reflective cross-site scripting

Cross-site scripting attacks occur when payloads are stored in data sent from the browser to the server.

Examples of cross-site scripting attacks that attackers reflect when malicious scripts are stored in data sent from a website search or contact form.

A typical example of reflective cross-site scripting is a search form where visitors send their search queries to the server and they only see the results.

Attackers usually send positive links to victims, which direct users to an insecure page. From this page, they often adopt different methods to induce proof of their concept.

Self-cross-site scripting

Self-cross-site scripting occurs when attackers exploit vulnerability that requires a very specific context and manual modifications. Victim only.

These specific changes may involve setting the cookie value or your information in the payload.

Blind cross-site scripting

Blind cross-site scripting attacks occur when the attacker does not see the outcome of the attack. In these attacks, the vulnerability is usually on one page, which can only be accessed by authorized users.

This method requires more preparations to successfully launch the attack; If the payload fails, the attacker will not be notified.

To increase the success rate of these attacks, hackers often use polyglots, which are designed to work on a number of different scenarios, such as plain text or a script tag. In.

An example of a blind cross-site scripting attack when the username is not secure for XSS, but only from the administration page, which is restricted to admin users.

DOM-based cross-site scripting

DOM-based cross-site scripting attacks occur when the server also does not harm XSS, but the JavaScript on the page.

Because JavaScript is used to add interactivity to a page, arguments are used to edit the page after the URL is loaded. By modifying the DOM when the values ​​received from the user are not cleared, the attacker may add malicious code to the page.

An example of a DOM-based cross-site scripting attack when changing the language selection from the default given in the website URL.

How to prevent cross-site scripting attacks?

Attackers use a number of methods to rob a website of vulnerability. As a result, there is no single strategy to reduce the risk of cross-site scripting attacks.

The concept of cross-site scripting is presented directly to the web page in the insecure user input. If the user input is properly cleaned, cross-site scripting attacks are impossible. There are many ways to ensure that users do not leave input on your websites.

To protect your website, we encourage you to tighten your web applications with the following security measures.

Whitelist value

Restrict user input to a specific whitelist. This practice ensures that only known and secure values ​​are sent to the server. Restricting user input only works when you know what data you are receiving, such as the contents of the drop-down menu, and is not practical for custom user content.

Avoid and limit HTML in the input

While HTML is required for great content, it should be limited to loyal users. If you allow styling and configuration in the input, you should consider using alternative methods to create content such as markdown.

Lastly, if you use HTML, be sure to clean it using powerful sanitizers such as DOMPurify to remove all insecure code.

Sanctify the values

When you use user-generated content on a page, make sure it does not lead to HTML content by replacing insecure characters with their entities. Entities look like normal characters, but are not used to generate HTML.

Use only HTTP flags in cookies

Session cookies are a mechanism that allows a website to identify a user between requests, and attackers often steal admin sessions by deleting your cookies. After a cookie is stolen, attackers can log into their account without credentials or authorized access.

Use HttpOnly cookies to prevent the contents of the JavaScript cookie from being read, making it harder for attackers to steal the session.

Note: This method prevents attackers from reading the cookie. Attackers can still use active browser sessions to send requests while acting as an admin user. This method is only useful when cookies trust the main authentication mechanism.

Use WAF to protect against cross-site scripting attacks You can use the firewall for almost patch attacks against your website. This method accepts attacks such as XSS, RCE, or SQLi before malicious requests to reach your website. It also has the advantage of protecting against large-scale attacks such as DDoS.


error: Content is protected !!