XSS Attacks (Cross-Site Scripting) | Web Security

XSS, an acronym derived from Cross ‘X’ Site Scripting, refers to the injection of malicious scripts into a legitimate website or web application. It is similar to other web attacks such as SQL injection, however, it is more devastating since an XSS attack does not target the application concerned rather it puts the users of the application at risk.

Most of the times the users are not even aware of the malicious script hiding behind the innocent-looking website. All it requires is for the user to interact with the affected website for the script to run. Depending on the severity of the attack, information on the user account may be compromised as a result of such an attack.

How are webpages made?

A website as we see them is written using HTML which is a mark-up language. In other words, everything we see is written within tags denoted by the <> symbols. For example, for a bold text in a website all we have to do is write the text within the <b> and </b> tags.

Embedding javascript in html - GeekyMinds
It will appear as two paragraph even though one of them is an HTML paragraph and the other one is a JavaScript code snippet

Now as the online world started growing, we needed websites to be more interactive and thus JavaScript came into the scene. A JavaScript code is written into an HTML page using the <script> tag. When a user requests an HTML page with JavaScript in it, the script is sent to the browser and the browser decides what to do with it. One can do many things with Javascript, from building interactive websites to full-fledged games. It is one of the most powerful languages.

How do XSS Attacks work?

Suppose a website does not sanitize the user inputs and a perpetrator takes notice of that. He can now inject his own malicious scripts into the website and wait for some other user to fall into his trap. Such attacks may be used to steal the visitor’s session cookies. Each time a new visitor enables the script, the session cookie is sent to the perpetrator. Using the cookies, the perpetrator now can pose as the user since the cookie stores the user session and now he becomes entitled to do and see everything the user is entitled to.

Apart from stealing user’s session cookies, the perpetrator can also read and modify the page running in the browser and may send HTTP requests to arbitrary destinations.

Modern browsers facilitate APIs which have access to the geolocation, webcam, hardware and even some files from the user’s file system. XSS attack combined with some social engineering may result in many devastating outcomes.

XSS Attack - GeekyMinds
Perpetrator usually first identifies the vulnerability and then sets the trap for the next visitor to the website.

The most common target of such attacks are websites that allow users to share content such as blogs, social networks which allow users to share texts, images and videos and message other users.

Types of XSS Attacks

There are two types of XSS Attacks
Stored XSS – Stored XSS attack is what we discussed above. It is the more damaging between the two as it can be automated, that is, it can be triggered just by visiting the affected website.
Reflected XSS – Reflected XSS attack requires the user to click on a particular link. The malicious script is embedded on a link, which is one of the reasons why one must never click on unknown links.

How to Prevent XSS Attacks

As a user, it is almost impossible to recognize an affected website. However, you must always avoid clicking suspicious-looking links that may disguise malicious scripts behind it.

As a developer, it is your responsibility because if it can affect the user, it can affect you as well. Stored XSS attacks are based on unfiltered input options. It can be fixed by validating and sanitizing the inputs on the website.

In PHP, one of the ways to filter the input is by running it through filter_var() method with FILTER_SANITIZE_STRING (removes any tags it finds) or FILTER_SANITIZE_FULL_SPECIAL_CHARS (escapes out any tags it finds) as the filter. Another more complex method for WordPress is wp_kses() which strips evil scripts.

For more details, refer to this article by Wordfence.