Cross-Site Scripting (XSS) Attacks
Posted March 2, 2016 - 3 min read
Topics:
security
javascript
In my previous post we have discussed what are CSRF attacks are and various approaches to prevent them.
Also said before, most CSRF protection approaches are inefficient if your application is vulnerable to Cross Site Scripting (XSS) attacks.
An XSS attack enables the attacker to inject a malicious code (script) into the application which may be executed in the browser environment and leading to sensitive data leaks or performing malicious actions.
Within this post we are going to discuss XSS attacks, which are today one of the most widespread web vulnerabilities.
Overview
All XSS vulnerabilities occur when the application server does not validate properly the user input before saving it into the database or return it back to the browser.
The following diagram demonstrates how an XSS attack may occur.
┌────────┐
┌──────────────────────────────► User 2 │
│ (3) │ Victim │
│ View comments └────────┘
│
│ GET /blog/123/comments
│ ┌───────────────────────────────────────────────┐
│ │ <html> │
│ │ ... │
│ │ <script>alert('XSS Vulnerability')</script> │
│ │ </html> │
│ └───────────────────────────────────────────────┘
│
┌──┴───┐
(2) │Server│
┌────────┐ Save │ │
│Database◄───────────┤ │
└────────┘ │ │
└───▲──┘
│ (1)
│ Create a comment
│
│ POST /blog/123/comments
│ <script>alert('XSS Vulnerability')</script>
│
┌────┴───┐
│ User 1 │
│Attacker│
└────────┘
XSS attacks can be categorized into the following categories:
Persistent XSS Attacks: also known as Stored XSS Attacks, persistent XSS attacks occur when the injected malicious script in the user input, is saved in the application database permanently. Every time a user requests a page where the malicious code has been injected, the application server returns the HTML response and when the browser renders it, the malicious code get executed.
Non-persistent XSS Attacks: also known as reflected XSS Attacks, non-persistent XSS attacks works the same way as persistent attacks, except that the malicious code is not stored in the database, but instead returned to the browser as it is.
DOM based XSS attacks: this kind of XSS attacks may occur without retrieving the injected malicious code from the application server. Instead, it occurs when the DOM of web page is dynamically modified by JavaScript by inserting or appending content from a source that the attacker may misuse (for example the webpage URL input, or a textarea field in a form).
How to prevent XSS attacks?
XSS attacks may be prevented by simply not trusting the user input.
A user input should be passed in to a security filter which removes any html tag that is not expected from the user, for example the script tag.
Additionally, the user input should be escaped or encoded to make sure that any active content is disabled.
In some cases, where the user content is expected to contain HTML tags, it is recommended to use a well known security library that may help to clean up and to validate the HTML code.
Conclusion
When developing a web application, treating user input properly is always good habit which every web developer must have.
Ignoring or neglecting user input treatment may be disastrous, as once you enable an attacker to execute malicious code in your application, he can do everything he wants, like stealing user credentials, hijacking sessions, or even stealing users credit card information.