Cross Site Scripting (XSS)

February 11, 2021

What Is Cross Site Scripting (XSS)

Cross Site Scripting (XSS) is a code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.

Web forums, message boards, blogs, and other websites that allow users to post their content are the most susceptible to XSS attacks. Unless the input is reviewed, verified, and encoded by the web application, any malicious script included in the code will automatically run by other users’ browsers. This script can then access the user’s cookies, session tokens, or alternative sensitive information retained by the browser and used on that site. It is even possible for these scripts to rewrite the infected web page’s content in more advanced attacks.

Fileless and script-based attacks, such as XSS, are on the rise in recent years due to their avoidance capability. These attacks can easily circumvent traditional anti-virus (AV) solutions and firewalls, making them relatively simple to carry out. Organizations need to include XSS detection and prevention as part of their overall cybersecurity strategy to protect their website visitors and reduce the risk of reputational harm to the organization.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Cross Site Scripting Attacks

Cross site scripting attacks exploit security vulnerabilities within trusted web sites to spread malicious code to other users.
While XSS attacks are relatively common, they are somewhat low-priority within the cybersecurity community because their impact is relatively narrow. Because the malicious script can only affect the user’s interaction on the infected site, the attacker’s activity is limited to that session. Furthermore, most attacks are conducted in JavaScript, which grants only limited access to the user’s operating system and personal information stored elsewhere on the device.

Learn More

See how you can quickly monitor for vulnerabilities with the systems and applications in your organization. Watch: Using Falcon Spotlight for Vulnerability Management

That said, XSS attacks can compromise the user’s information within an infected site. This means that the attacker can capture user credentials, passwords, payment information, and other sensitive data. The adversary can also masquerade as the user and carry out any action on the site available to legitimate users. Attacks like this may have significant implications if the site allows visitors to make or alter transactions or change account information, including contact details.

XSS attacks can also be a first step or core component of a more advanced attack. For example, an adversary can leverage information gathered during an XSS attack to inform social engineering tactics used in phishing or spoofing attacks. These activities can lead to more significant security issues, such as malware, ransomware, or Trojans.

Types of XSS Attacks

There are three main types of Cross Site Scripting attacks:

  1. Reflected or non-persistent XSS: The malicious script is executed as part of an active HTTP request and is “reflected” from the webserver to the user.
  2. Stored or persistent XSS: The malicious script is saved permanently in the web application’s database, such as the visitor log, web forum, or comment field.
  3. DOM-based XSS: The security vulnerability exists on the client-side code, which is code that runs in the browser instead of the server-side code.

Reflected or non-persistent XSS

The most straightforward variety of Cross Site Scripting, Reflected XSS attacks occur when a web application receives data from an HTTP request and then responds immediately without validating or encoding the data. Because the application does not process the data in any way, the attacker can easily launch a script-based attack on other users.

In a reflected attack, the injected script presents itself as an error message, search result, or similar action through a malicious link. When clicked, this link will execute the script, which allows the injected code to travel to the vulnerable site and “reflect” back to the user’s browser. The browser executes the code because it considers the site a trusted source. The script can then perform any action available to the user in that session, as well as capture any data transmitted by the user during the session.

Stored or persistent XSS

Stored XSS attacks, also known as persistent XSS attacks, occur when a web application shares data from an untrusted or unverified source in subsequent HTTP responses. In a Stored Cross Site Script attack, the injected script is saved permanently on the target servers, such as in a database, message board post, comment, or other location. If the site doesn’t process the data submitted, an attacker can easily input content that includes a malicious script that will infect other users. The victim retrieves the malicious script from the server when it requests the stored information.

Document Object Model or DOM-based XSS

DOM XSS is a relatively uncommon cross site script type of attack. Unlike the other two attack types (Reflected XSS and Persistent XSS), which target server-side code, a DOM XSS attack exploits security vulnerabilities on the client-side code or code that runs in the browser. An attack of this nature occurs when a web application processes JavaScript data from an untrusted source in an unsafe way. DOM XSS attacks always happen in JavaScript because Java is the only language that all browsers understand.

Additional XSS classification methods

It is important to note that while each of these three attack types is distinct, they are not exclusive. There is some overlap between each category, where adversaries can employ elements from two attack types in a single offense.
For this reason, the cybersecurity community refers to XSS attacks based on where the code is exploited—either the server or the client. They may refer to attacks as Server XSS or Client XSS.

How Does Cross Site Scripting Work?

As noted in the section above, an XSS attack’s mechanics will vary based on the type of attack being deployed. That said, most attacks follow the same process:

  1. The attacker identifies a place and method for which to inject malicious code into a web page. For this to be possible, the website must allow users to add content to the page through comments, posts, or contact fields.If the attacker has a defined target, they will employ social engineering tactics, including phishing and spoofing techniques to encourage the user to visit the site in question. Otherwise, the code is left for any user to discover.
  2. The victim visits the website with the injected code. Their device will accept and execute the infected script because it considers it part of the source code from a trusted site.Given that the code is not visible and most internet users do not understand common programming languages, such as JavaScript, it is difficult for the average user to detect XSS attacks.

Why do cybercriminals launch XSS attacks?

The most common reason for hackers to launch an XSS attack is to steal a user’s cookies. Using this stored information, they can then impersonate the target on that site and carry out any action that the user can complete. The attacker can also capture valuable personal data, including login credentials, passwords, payment information, and other sensitive details, which would make it easier for them to carry out other attack methods that rely on social engineering techniques. Attackers may also target the website itself. With this tactic, adversaries will use their code to rewrite or change the webpage content.

Different cross site scripting approaches

An XSS attack can occur any place where input from an HTTP request could make its way into the HTML output. Below is a list of common tactics that attackers may leverage in an XSS attack:

  • Utilize a <script> tag to reference, insert or embed malicious JavaScript code.
  • Exploit JavaScript event attributes, such as onload and onerror, within different tags.
  • Deliver an XSS payload within the <body> tag through JavaScript event attributes.
  • Exploit unsecured <img>, <link>, <div>, <table>, <td> or <object> tags to reference malicious script.
  • Leverage the <iframe> tag to embed a webpage within the existing page.

What languages are targets of XSS

Any web page or web application that uses unsanitized user input is vulnerable to an XSS attack. This means that XSS attacks are possible in any coding language, such as HTML, VBScript, ActiveX, Flash, and even CSS. That said, XSS attacks are most commonly carried out in JavaScript because this is the most ubiquitous coding language.

What are the threats of XSS?

XSS attacks can result in significant issues for victims. In extreme cases, XSS attackers can leverage user cookies to masquerade as that person. The code can also steal files and data or install malware on the device.

On the server-side, XSS attacks can result in reputational harm to the host organization. For example, by changing the content on a corporate site, attackers can spread misinformation about the company’s business practices or activities. The adversary can also manipulate website content to provide incorrect instructions or directions to visitors. Becoming compromised in this way is especially dangerous if hackers can overtake government websites or resources during emergency events, ultimately misdirecting people on how and where to proceed in times of crisis.

Unfortunately, XSS flaws can be challenging to identify, especially if the user lacks computer programming knowledge. Even skilled developers rarely check code from trusted sites. Once injected, it is often very challenging to remove the malicious code from the application for Stored XSS attacks.

How can you prevent again cross site scripting

It’s crucial to ensure your organization is not vulnerable to XSS attacks. Script-based and other fileless attacks have increased in recent years because they can avoid detection by new and old security tools, including antivirus software and firewalls.

Expert Tip

In this video CrowdStrike will illustrate Falcon using multiple detection capabilities to prevents script-based attacks. Watch: How Falcon Prevents Script-Based Attacks

To maintain a secure website, organizations’ web teams should work cross-functionally with their cybersecurity team or with a trusted cybersecurity partner to help them assess the risk of XSS attacks on their corporate site.

Managing a safe and secure website on the client and server-side typically requires a vulnerability management solution to continuously monitor the site for any vulnerabilities. An excellent way to do this is to acquire a SecOps champion, someone within the cybersecurity team who will work with web developers and others in your web team to offer best security practices when developing and maintaining a website. The security champion can also provide insights on critical weaknesses or vulnerabilities that could leave your website open to XSS attacks.

Additionally, by working with your cybersecurity team, you should consider these practices to create a secure and safe web environment:

  • Perform manual penetration testing in select areas that have a high chance of exploitation.
  • Limit users’ ability to submit content to the company’s website and other resources, such as forums, blogs, or member groups.
  • If allowing user inputs, filter all content on arrival using stringent parameters; Encode data at the output stage.
  • Prevent malicious code from being injected in responses that should not contain HTML or JavaScript code.
  • Provide continual cybersecurity training and development opportunities for your IT team, as well as developers, computer programmers, and computer engineers, to ensure they are aware of the risks of XSS and can adequately address them by design.