Attacks with non-validated user input - How to tackle Cross-Site Scripting (XSS)
March 26, 2020

Cross-site Scripting (XSS) is one of the most common web security vulnerabilities. This is also recognized by the OWASP organization, listing XSS vulnerabilities as the second most widespread issue in their Top 10 list.  

If you are already caught up on what XSS is, you can scan your company for free and check whether your assets run software that might be vulnerable to XSS with Autobahn.

What is it?

Malicious actors use Cross-Site Scripting (XSS) attacks to inject malicious script into legitimate websites. They do this by targeting web applications that use input from users (for example a form or a comment) within the output that is generated, without converting or validating it. What happens is that normal users unknowingly navigate to a web page injected with malicious code and that this code, most commonly JavaScript, is executed within the victim’s browser. In other words, an XSS vulnerability is caused when a response from a web application does not properly sanitize user inputs.

How does it work?

With XSS attacks, the website used by the malicious actor is not (completely) taken over, but serves as a platform to which the attackers attach their malicious code. In other words, XSS is a client-side attack. The user’s browser executes this malicious code when the web page is loaded. This means that the attacker can steal sensitive data about (authenticated) users, as the request comes from a trusted source. Most of the time, the web pages that become “vehicles” for XSS attacks are forums, or pages that allow comments from users. Attackers go after cookies, session tokens, or other sensitive information used on that specific website. There are three major types of XSS attacks:

- Reflected: the HTTP request from the user runs the malicious script;

- Stored: the website's database serves the unknowing user the malicious script; and

- DOM-based: the vulnerability resides in the client-side code instead of the server-side code.

Example

Imagine a web page where people can reply to the latest news. The code of this page has to show the most recent reply and works like this:

{% c-block language="js" %}
print "<html>"
print "<h1>This is the most recent reply on this web page</h1>"
print database.lastReply
print "</html>"
{% c-block-end %}


As you see, the script selects the last reply from its database and incorporates it into the HTML page. In other words, there are no checks in place if the reply only consists of actual text, and not of code. This means that a malicious attacker can also reply, but in the reply a malicious script is added:

{% c-block language="js" %}
This news story is great! <script>maliciouscode();</script>
{% c-block-end %}

When a user would now visit the website, the server would provide the following HTML code:  

{% c-block language="html" %}
<html>
<h1>This is the most recent reply on this web page</h1>
<h2>This news story is great! <script>maliciouscode();</script></h2>
</html>
{% c-block-end %}


To summarize, when a user visits a web page and this HTML-code would load in their browser, the malicious script would be executed. For users this is very hard to tell and most of the time this goes unnoticed.  

How do I secure myself?

Curious if your web applications or web pages are vulnerable to XSS attacks? Try Autobahn, the vulnerability scanner with the hacker’s perspective now for free! Click here to sign up and get your report with tips on how to remediate XSS injection attacks now.  

Note that XSS vulnerabilities can be present in third party libraries and plugins your web application uses as well as in the web application itself. Autobahn checks for outdated versions plugins and libraries and tests some XSS payloads against the public part of you application. Please note that many XSS vulnerabilities can only be found under specific conditions or after authentication. For security critical applications, we believe automated scanning can support, but not replace, a dedicated penetration test.

If the Autobahn scan report mentions that your site is vulnerable to XSS, which it scans by checking for known vulnerable plugins/frameworks that you might be using and by testing the inputs, you can prevent potential attacks by fixing programming bugs, as well as updating the middleware/plugin/framework.  

What are you waiting for?
Discover your asset’s vulnerabilities. Get your first scan for free.
Try For Free

Subscribe Now

Subscribe now to be be posted about the latest developments and updates.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.