What is Cross Site Scripting (XSS)
In this article:
- Types of XSS
Types Of XSS
There are three types of cross site scripting, namely:
- Reflected XSS
- Dom-based XSS
- Stored XSS
Reflected XSS occurs when the website allows for malicious scripts to be injected into it. An attacker then sends the link of the targeted website containing the malicious script to other users. Once the link (mostly anchor links) is opened, the script executes and the attacker is able to steal the user’s session cookies.
This is an efficient attack as it allows for the script to fire off every time a new user opens the malicious link.
For example, a website “
https://www.vulnerable-website.com/” could have a search functionality that would look like:
Once the user inputs the data into the search field, the url would look like this:
However, the lack of proper sanitization could result in malicious code being injected into the input value. It would look something like this:
https://www.vulnerable-website.com/search/?input=<script>/*snippet of dangerous code*/</script>
This is all that’s required for an attacker to spread the malicious code to every visitor using this link, and is why Reflected XSS is so dangerous and widespread. Additionally, it doesn’t even need to store the data to the servers of the web application, allowing it to fly under the radar.
Dom-based cross site scripting is mainly used for hijacking the user sessions, allowing the attacker to gain unauthorized access to the website.
Stored XSS attacks use HTTP requests to gain unauthorized access and exploit vulnerabilities on the website.
Any user that opens the affected page of the website is affected, given that the malicious code executes in the browser.
The primary cause for this is due to a lack of input sanitisation by the developer. This occurs predominantly with contact forms or similar input fields. If they aren’t handled properly, the attacker can inject their malicious code into that input field, causing the website to run the malicious code.
There are a few popular methods in preventing Cross Site Scripting attacks:
- Input validation
- WAF (Web Application Firewall)
- Content security policy
The best way to prevent cross site scripting attacks is to ensure every input field is validated.
You should always replace sensitive characters that may cause disruption with their entities. Even though they display the same way, entities cannot generate HTML, saving you potential failures in the future.
Even though it’s often impossible to do so, try restricting the user input to a specified list whenever you can, such as when selecting a currency, country, etc.
Another method of defending against XSS, as well as various other attacks, is by using a Web application firewall (WAF). which continuously monitor and intercept these attacks. However, WAFs should be used as a last-resort defensive measure and do not offer 100% protection – being secure by design should be your main priority.
Content Security Policy
As a developer, being able to easily detect and fix XSS issues before they hit production is a must.
With Bright you can easily detect XSS, either as a standalone scanner or fully and seamlessly integrated into your development pipelines, with NO false positives.
Sign up for a FREE account here to start scanning your web applications and APIs today