Cross-Site Scripting (XSS) Overview

Jun 22, 2024

Cross-Site Scripting (XSS)

Introduction

  • Abbreviated as XSS (not CSS to avoid confusion with Cascading Stylesheets).
  • Originally named due to browser vulnerabilities allowing site-to-site information sharing.
  • Common vulnerability in web applications.
  • Takes advantage of browser trust for different websites.
  • Often involves JavaScript, a popular client-side programming language.

How XSS Attacks Work

  • Involves three parties: Victim (User), Trusted Website, and Attacker.
  • Mechanism: Attacker sends a link containing malicious script to the victim.
    • Delivery methods: Email, text message, etc.
  • Execution: Victim clicks the link, visiting a trusted site with an additional malicious script.
  • Outcome: Data sent to attacker (e.g., cookies, session information).

Types of XSS Attacks

Non-Persistent (Reflected) Attack

  • Description: Vulnerability exists in third-party websites allowing scripts in user input fields.
  • Example: Search engine on a website permitting JavaScript in the input box.
    • Attacker sends a link exploiting the vulnerability.
    • Private information is sent to the attacker when the victim interacts with the exploit.
    • E.g., inserting script into a credit card number field.

Persistent (Stored) Attack

  • Description: Attacker stores a malicious script on a third-party site.
  • Example: Social media message containing the malicious payload.
    • Affects every visitor to the compromised social media page.
    • Code execution in the visitor's browser.
    • Potential spread through sharing on the social network.

Real-World Example

  • Incident (June 2017): Subaru's website vulnerability discovered by Eon Guzman.
    • Vulnerabilities: Permanent session tokens without expiration and API exploitation.
    • Impact: Unauthorized vehicle service requests; potential for attackers to add their emails to other users' accounts.
    • Resolution: Reported and fixed by Subaru.

Protection Against XSS Attacks

  • Best Practices:
    • Avoid clicking suspicious links in emails/messages.
    • Manually type trusted domain names in the browser.
    • Consider disabling or limiting JavaScript (via plugins).
    • Keep browser and applications updated for latest security patches.
  • Developer Precautions:
    • Validate all user inputs to prevent script injection in input fields.