Lecture Notes: Cross-Site Scripting (XSS)

Introduction

• Cross-Site Scripting (XSS): A common vulnerability in web applications.
• Abbreviation: CSS is used for Cascading Style Sheets, hence XSS is used for Cross-Site Scripting.
• Origin: Named for browser vulnerabilities where information from one site could be shared with another.

Importance of XSS

• Common Vulnerability: One of the most prevalent in web apps.
• Browser Trust Exploitation: Takes advantage of the trust browsers have for websites.
• JavaScript Dependency: Many XSS attacks use JavaScript due to its ubiquity and enablement across browsers.

Exploiting XSS

• Exploitation Process:
  • Victim (user)
  • Trusted Website
  • Attacker
• Attacker’s Method: Sends a link with malicious script via email, text, etc.
• Victim Interaction: Clicks the link, visiting a legitimate site where the script runs covertly.
• Information Theft: The script sends sensitive information (cookies, session details) to the attacker.

Types of XSS Attacks

Non-Persistent (Reflected) Attack

• Description: Scripts run within user input blocks (e.g., search engine).
• Attack Process:
  • Attacker emails a vulnerable link.
  • User clicks link, executes script, which sends data back to attacker.
• Example: Search engine allowing JavaScript execution.

Persistent (Stored) Attack

• Description: Attackers store malicious scripts on third-party sites (e.g., social media).
• Attack Process:
  • Scripts run every time someone views the site/page.
  • Infects each user’s browser, spreading the malicious script further.

Case Study: Subaru Website Vulnerability

• Discovery: By security researcher Aon Guzman in June 2017.
• Issue: Persistent token vulnerability and XSS on Subaru’s website.
• Impact: Unlimited token usage, control over any vehicle tied to the account.
• Resolution: Subaru was informed and fixed the vulnerabilities.

Protection Against XSS

• Preventative Measures:
  • Avoid clicking untrusted links (email, messages).
  • Use browser plugins to disable or limit JavaScript.
  • Regularly update browsers and applications to fix vulnerabilities.
• For Developers: Ensure all user input is checked to prevent script injection.