🛡️

Understanding Cross-Site Scripting (XSS)

May 25, 2025

Lecture Notes: Cross-Site Scripting (XSS) Overview

Introduction to XSS

  • Definition: Cross-Site Scripting (XSS) is a type of security vulnerability found in web applications that allows an attacker to inject malicious scripts into web pages viewed by other users.
  • Abbreviation: XSS is used instead of CSS to avoid confusion with Cascading Style Sheets.
  • Origin: Initially named due to browser vulnerabilities where data from one site could be shared with another.
  • Prevalence: One of the most common web application vulnerabilities.
  • Exploitation: Relies on the trust browsers have for websites.
  • Common Language: Often exploits vulnerabilities using JavaScript.

Exploitation of XSS

  • Attack Structure: Involves three parties: the victim, a trusted website, and the attacker.
  • Attack Method:
    • Attacker sends a malicious link (via email, text, etc.) to the victim.
    • Victim clicks the link, visiting a legitimate site with an embedded malicious script.
    • Results in sending private data (cookies, session details) to the attacker.

Types of XSS Attacks

Non-Persistent (Reflected) XSS Attack

  • Description: The attack is reflected off a web server back to the victim's browser.
  • Example: A script can be executed via user input fields like a search box on a third-party site that doesn’t sanitize input properly.
  • Impact: Attacker gains access to session information of the victim’s interaction with the site.

Persistent (Stored) XSS Attack

  • Description: The attacker stores a malicious script on a target server, affecting every user who requests the stored data.
  • Method: Attacker uses platforms like social media to spread a malicious link.
  • Propagation: Users sharing content unknowingly spread the malicious code.

Real-World Example

  • Case Study: In 2017, a security flaw was found in Subaru's website.
    • Token Vulnerability: Tokens didn’t expire and could be used to gain unauthorized access to vehicle controls.
    • XSS Vulnerability: Allowed attackers to steal tokens by sending malicious links.
    • Resolution: Discovered by a researcher and fixed by Subaru.

Protection Against XSS

  • Avoid Clicking Untrusted Links: Do not click unexpected links, especially from emails or messages.
  • Manage JavaScript:
    • Consider disabling or restricting JavaScript, though it can limit functionality.
  • Keep Software Updated: Ensure browsers and apps are up-to-date to receive vulnerability patches.
  • Secure Application Development: Developers should validate all inputs to prevent script injection.

These notes cover the key points about cross-site scripting vulnerabilities, types of XSS attacks, real-world implications, and preventative measures.

Full transcript