Cross-Site Scripting, or XSS, is one of the most common attacks by hackers for malicious purposes on the Web. Although the main abbreviation for this attack is CSS, because it is confused with CSS code, it is considered for it. Today we are going to introduce XSS attacks and teach you how to prevent them from happening. So stay tuned until the end of the article.
What are XSS attacks?
XSS attacks are a type of code injection attack on the client-side. In this attack, the attacker tries to execute malicious code through a legitimate web page in the Internet users’ browser, and the main attack occurs when the victim visits that web page or web application.
In fact, the web page or web application is used by the hacker as a means of sending malicious code to the user’s browser. Sites such as forums, message boards, and web pages that allow users to post comments are the best way to inject malicious scripts.
If the web page uses the input of infected users in its generated output. It becomes vulnerable to XSS attacks and the user input must then be parsed by the victim browser. XSS attacks can occur in VBScript, ActiveX, Flash and even CSS. Of course, most attacks occur in the JavaScript language, because this language is one of the main elements of Internet browsers.
XSS attacks and users
If a hacker exploits an XSS vulnerability on a page to inject malicious JavaScript code into a user’s browser, then the security of that web application and its users will be compromised. Unlike security issues, XSS attacks dont limit users, so if they are dangerous to users of your website, they will definitely affect you.
Some hackers also use XSS attacks to disable websites instead of targeting users. In this case, the hacker can use the injected scripts to change the content of the website or redirect the victim browser to the infected pages.
Hacker and JavaScript
XSS attacks are less risky than SQL injections. Injecting JavaScript into a web page may not be dangerous at first glance because most web browsers execute JavaScript code in a completely controlled environment. JavaScript also imposes restrictions on access to the operating system and user files. However, it can be very dangerous if JavaScript is a part of malicious content:
- Malicious JavaScript can infiltrate all objects that other web pages have access to. For example, user cookies are one of the parts that malicious JavaScript can access. Due to the fact that Session Tokens are usually stored in user cookies if a hacker has them. Then he is able to perform profiteering activities by forging the user’s identity and also access the user’s sensitive data.
- Malicious JavaScript is able to read the Internet browser DOM and then make changes to it. Fortunately, this is only possible on pages where JavaScript is running.
- JavaScript can use the XMLHttpRequest object to send custom HTTP requests to any destination.
- JavaScript in modern browsers can use the HTML5 API, so it is able to access the geographical location, microphone, webcam and specific files of the user’s computer system. Most of these APIs require the presence of the user, but hackers can use social engineering to solve this problem.
In general, a hacker can easily carry out advanced attacks such as cookie theft, trojan planting, keylogging, phishing and identity theft through the items mentioned and a little bit of social engineering. Hackers can use XSS attacks first to launch a powerful attack, or use it alongside other attacks such as CSRF.
How do XSS attacks work?
A typical XSS attack is divided into two parts:
- To execute malicious code in a victim browser, the hacker must first find a way to inject the code into a web page that the user is visiting.
- The victim must then visit that malicious web-infected web page. If the attack is intended for a specific person, the hacker can use social engineering or phishing to send him an infected URL.
For the first step to be possible, the website must enter user input directly on its pages. The hacker can then insert the malicious string into the web page; This string is the source code by the user’s browser. Of course, in some cases, the hacker uses social engineering to persuade the victim to click on malicious URLs.
How to prevent XSS attacks
To protect yourself from XSS attacks, you need to keep your website traffic safe. Your application should not send input directly to users’ browsers without checking the input data. Preventing XSS attacks is not easy as the techniques to deal with it depend on the type of XSS attack, the user input platform and the framework, and the programming language of the website in question. However, there are some basic principles to stay safe from XSS attacks, which we will briefly explain below:
1- Educating and maintaining the awareness of developers
Everyone involved in the development of an application or website should be aware of the risks associated with XSS vulnerabilities. Therefore, you should provide the necessary training on application security to all programmers, quality assurance staff, DevOps team and system administrators.
2- Lack of trust in user input
Consider all user inputs as untrusted inputs. In fact, any user input that is a part of HTML output is susceptible to XSS attacks. Therefore, you should treat valid inputs and internal users as public inputs.
3- Using Escaping / Encoding technique
Use the Escaping / Encoding technique depending on where the user inputs are used. For example, you can use HTML escape, JavaScript escape, CSS escape, and URL escape libraries; In other words, use your escapes only when needed.
4- Clear HTML
If the user input must be HTML, you can not use the Escaping / Encoding technique as this will destroy the valid tags. In such cases, you must use a valid library to parse and clear HTML.
You can choose the library according to the programming language used in the application development, for example HtmlSanitizer library for .NET language or SanitizeHelper for Ruby on Rails language is a good option.
5- Using HttpOnly flag in cookies
You can use the HttpOnly flag feature in your cookies to reduce the intensity of XSS attacks. In fact, by doing so, HttpOnly flag cookies are not read by JavaScript on the user side and are virtually unavailable.
6. Use a Content Security Policy (CSP)
You can also use a content security policy, or CSP, to reduce the consequences of XSS attacks. This security template is actually an HTTP response header and allows you to specify the resources allowed to load according to the source request.
7- Continuous scanning of web pages
XSS vulnerabilities may sometimes be identified by developers or through libraries, modules, and software related to your web pages. Therefore, it is better to constantly scan the vulnerability of your web pages using scanners such as Acunetix.