Saturday, November 11, 2017

Cross Site Scripting (XSS)

Cybercrime has been at an all time high in recent history, with many corporations and online services having suffered through some significant cyber attacks which have been harmful to the safety and privacy of their own data as well as that of their clients. 

Every day new exploits are being discovered or combined in a new clever way, making protection of sensitive customer data increasingly difficult.

One of the more common attack vectors is called Cross Site Scripting. In fact it continues to make it into the OWASP Top 10 Application Security Risks Report year after year.

Cross Site Scripting (or XSS) is a technique by which an attacker gains access to the user session through clever placement and execution of his own malicous code into vulnerable web applications. Instead of attacking the website or service directly, the goal is to hijack the already established session of a user, allowing the attacker to then impersonate his victim.

When properly exploited, a sucessfull Cross Site Scripting attack can have devastating consequences, as it grants the attacker full control over the user session, which in turn allows him to access and modify otherwise protected data.

There are essentially three different types of Cross Site Scripting attacks:

1. Stored XSS

Also known as Persistent XSS or Type I XSS, stored XSS is arguably the worst form of Cross Site Scripting vulnerability. Stored XSS occurs when an attacker is able to sneak his payload into a website in a way that exposes it to other visitors of the site. The perpetrator finds a vulnerability in the website and injects a malicious script into it. This script is designed to collect tokens and session cookies from any user who accesses it. Often times the attacker exploits weak input validation mechanisms of the website in question, allowing him to insert clientside javascript code into the site, for example through a comment field. When other users visit the site, the inserted script gets executed on their computer and transmits their session cookies to the attacker.

A stored XSS attack has a much larger and widespread effect than that of a reflected one primarily because it comes into action each time the webpage is visited, causing harm without even requiring the user to click or enter a particular link. 

These type of XSS attacks generally occur on popular pages, specifically social media sites and sharing platforms with high amounts of traffic, as once exploited, they can spread and grow exponentially in a very short amount of time.

2. Reflected XSS

This is one of the most common and basic forms of web vulnerabilities. In this type of XSS attack, the malicious script is not directly injected into the website but instead requires the user to click on an specially prepared link first. This link is sent to them through email or any other means of communication. When clicked on, the link will take them to the website, where the malicious script will then be embedded into it and "reflected" to the browser. Since the command is coming from the website itself which is a trusted source, albeit reflected, the browser lets it run.

3. DOM Based XSS

When a browser receives the HTML content of the server, it builds the so-called Document Object Model (DOM), allowing client-side scripts to interact with all the different elements of the page. It is an object oriented in-memory representation of the web page.

DOM Based XSS attacks aim to inject the payload into the DOM using vulerabilities of the existing client-side scripts of the targeted website, making them very difficult to detect.

Recent research has found that about 77% of the top 5.000 URL's from Alexa harbor known vulnerabilities in their clientside JavaScript code, making them susceptible to DOM based XSS attacks. 

Measures to prevent XSS attacks

In order to minimize the risk of a sucessfull attack against users of your website or service you should make sure to implement proper input data validation and URL encoding. Ask your users not to click on any links they receive by E-Mail and encourage them to enter the addresses manually into their browser instead.

Most importantly, keep your thrid party frameworks and libraries up-to-date to protect your users against known security vulnerabilities in them.