Cross-Site Scripting Attacks and How to Prevent it

When you imagine a cyber attack, what do you think of, exactly? Many of us will conjure up images of a hacker gaining access to our machine and running rampant once inside. Or perhaps you’ll picture a web application being directly targeted via SQL injection or a similar attack vector. However, one of the most common types of website vulnerabilities targets the visitors of a website instead. We’re talking about Cross-Site Scripting (XSS) attacks, which occur when hackers execute malicious code within the victim’s browser.

What Are XSS Attacks?

Cross-site scripting attacks happen when an attacker executes a malicious piece of code within a user’s browser. It’s important to remember that the hacker isn’t actually taking over the website at all, rather they are injecting their code as an element of the website itself. That’s how the code ends up being executed – the browser is tricked into it and thinks it’s just another piece of the website.

The kind of sites that are most vulnerable to XSS attacks are those that allow user input on their pages. We’re talking message boards, forums, site search features, and any page that allows user comments. If the right precautions aren’t taken, then XSS attacks can occur in:

• JavaScript
• VBScript
• ActiveX
• Flash
• CSS

How Do XSS Attacks Work?

JavaScript is most often used to carry out XSS attacks. The attacker first finds a vulnerability within a website that will allow for the script to be executed, and then they inject it. These scripts are called “client-side” scripts because they are performed on the “client” or user’s end of things, as opposed to a “server-side” script that would run on the website’s server.

More specifically, these “client-side” scripts run on the user’s browser when the compromised page is loaded. Because of this, sensitive information can be gathered from the session, which hackers can use in a wide variety of ways. This ranges from simply targeting individual users to get information of value from their accounts to targeting administrators and ultimately taking over the entire website.

The injected code itself can also have a wide range of functionality. Some attackers will target users with ads or phishing prompts, while others will be more subtle and design their code to work behind the scenes. The capabilities that hackers now posses is downright alarming.

How to Prevent XSS Attacks?

It all starts in the design phase, where you’ll want to build-in security measures and employ best practices while coding. Testing is critical, and code scanning tools can help find vulnerabilities. Manual testing for stored and reflected cross-site scripting should also occur and consists of submitting inputs into all of the application’s entry points. You should also identify every location where the input is returned in HTTP responses.

Unfortunately, there isn’t one bulletproof strategy for preventing XSS attacks thanks to the wide range of applications and their varying requirements. However, there are a number of general protective measures that you should use:

• Know the limitations of your framework’s XSS protection and how to handle the exceptions
• Avoid HTML inputs, and if you must use them then make sure to employ a robust sanitizer to detect unsafe code
• Also be sure you’re sanitizing data passed in URL variables, too
• Turn off HTTP TRACE support on all webservers to prevent session hijacking
• Use HTTP Only flags for cookies, which prevents JavaScript from reading their content
• Filter inputs immediately at the point where the input is received, and be as strict as possible about it
• Encode output data to prevent it from being interpreted as active content
• Use a Content Security Policy (CSP), which uses HTTP headers to whitelist trusted sources – but remember that you must constantly update your CSP for any new sources or dependencies

A key principle to keep in mind—never trust any data you get from the browser/user. Always assume it could have malicious code in it (and take steps to ensure it doesn’t!)

In addition to these specific technical measures, there needs to be education and awareness, as well. Developers, designers, and quality assurance should all have an understanding of the different ways that attackers can exploit XSS vulnerabilities. By coupling this with proper coding guidelines and best practices that are specific to your application environment, you should be able to effectively minimize the considerable risks that XSS attacks pose to your website.

I hope you learned a little about XSS Attacks...