Cross-Site Scripting (XSS) vulnerability: What is it and how to stay protected?

• Cross-Site Scripting (XSS) is an attack vector that could allow attackers to inject malicious code into a vulnerable web application.
• There are three types of Cross-Site Scripting (XSS) vulnerabilities such as Stored XSS, Reflected XSS, and DOM-based XSS.

Cross-Site Scripting, also known as XSS, is a security vulnerability that could allow an attacker to compromise the interactions users have with the vulnerable application. Cross-Site Scripting (XSS) is an attack vector that could allow attackers to inject malicious code into a vulnerable web application.

XSS attacks occur when attackers inject their malicious code into a web application. Cross-site scripting could also allow an attacker to execute malicious scripts in another user's browser.

Types of Cross-Site Scripting Vulnerability

• Stored XSS
• Reflected XSS
• DOM-based XSS

Stored XSS - In Stored XSS, the payload is permanently stored in the target application. For instance, an attacker injects malicious script into a comment field of a blog post. Visitor viewing the page will inadvertently execute the payload.

Reflected XSS - In Reflected XSS, attackers deliver the payload directly to the victim’s computer and trick the victim into executing the payload. For example, phishing emails that include malicious attachments. Users upon clicking/opening the malicious attachment, the payload gets executed.

DOM-based XSS - The vulnerability exists in the client-side source code rather than the server-side code. DOM-based XSS attacks occur when the web application's client-side script writes user-provided data to the Document Object Model (DOM). Attackers will then inject a payload that will be stored as part of the DOM.

Impacts of Cross-Site Scripting Vulnerabilities

An attacker who exploits a cross site scripting vulnerability will be able to perform various malicious activities such as

• Impersonate the victim user and execute any action that the actual user is able to perform.
• Compromise the victim’s machine and collect system data.
• Gain access to users’ sensitive data and steal users’ credentials.
• Attackers can redirect victims to a phishing site.
• They can capture screenshots of the webpage and steal cookies and caches.
• Attackers could deface the web site and plant malware into the website.

Examples of Cross-Site Scripting Vulnerabilities

Example 1 - Cross-Site Scripting vulnerabilities detected in Labkey Server

In January 2019, researchers detected Cross-site scripting vulnerabilities in the LabKey Server, thereby allowing attackers to perform XSS attacks and compromise medical research data.

The software suite contained cross-site scripting vulnerabilities that allowed attackers to inject malicious code, following which it creates redirects to fake URLs as well as admin access.

Example 2 - Cross-Site Scripting vulnerabilities in Yahoo Mail

In December 2018, a security researcher named Jouko Pynnönen detected a critical cross-site scripting vulnerability in Yahoo Mail that could allow attackers to steal users’ email and inject malicious code to users’ outgoing messages.

The vulnerability was due to lack of proper filtering for malicious code in HTML emails that could allow attackers to redirect victim’s emails to an external site, alter Yahoo account settings, and perform various malicious activities.

Yahoo fixed the vulnerability in January 2019 and awarded Pynnönen with $10,000 for detecting the flaw.

How to stay protected?

• To prevent XSS attacks, it is recommended to sanitize user input and validate inputs.
• It is best to install a good web application firewall to stay protected from such attacks.
• It is also recommended to apply output encoding and encode the HTML special characters.

Google has developed a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities.

Trusted Types will prevent DOM-XSS attacks by enabling websites owners to lock down known injection points in a website's source code which causes DOM-based XSS.