Most Common Web Application Security Vulnerabilities #3: Cross Site Scripting (XSS)
Types of XSS attacks
Cross-Site Scripting attacks are a sort of injection, where malicious scripts are injected into a trusted web application. At the point When an attacker sends a malicious browser side script to an end user by utilizing a web application, a XSS attack occurs. These types of attacks are very common, and it permits the occasion to exploit the flaw for an attacker on a web application which uses inputs from a user inside the output it generates without validating or encoding it. Subsequently, by using those flaws an attacker can dispatch a XSS attack to send a malicious script to an unsuspecting user & the content will be executed in the end user’s browser as it has no way to know that the script is malicious and should not be trusted.
DOM Based XSS — In here the web application does not directly serve up the malicious script to the targeted browser. In a DOM-based XSS attack, the application has vulnerable client-side scripts which deliver the malicious script to the target’s browser, Similar to a reflected attack. On the other hand, a DOM-based attack does not store the malicious script on the vulnerable server itself.
The Root Cause for XSS attacks
- Input coming into web applications is not validated
- Output to the browser is not HTML encoded
XSS attacks, After-effects
If it is possible for an attacker to exploit the third party and infuse malicious code into the script, they can launch an attack towards the users of the application. In that case, an outside malicious script will be executed with the same privileges as a local script (accessing application data and performing actions available to the current user). Further the effect is particularly huge if the vulnerability is externally available or prior to the authentication, where it is more effectively discoverable and exploited by attackers.
- Hijack an account.
- Access browser history and clipboard contents.
- Spread web worms.
- Scan and exploit intranet appliances and applications.
- Control the browser remotely.
Protecting against XSS Attacks
By giving out encoded user information into HTML entities by the application, can ensure that the stored user input is not executing by the browser. This ensures that the browser will only display the user input and not interpret it as a command. At the very least, it is a best practice to output encode the following characters:
- “<” = “<”
- “&” = “&”
- “>” = “>”
- “/” = “/”
- double quote = “"”
- single quote = “'”
Some Resources :
The “X-XSS-Protection” Header : This instructs the browser to activate the inbuilt XSS auditor to identify and block any XSS attempts against the user.
OWASP Encoding Project : A library written in Java by OWASP.
The XSS Protection Cheat Sheet by OWASP : A checklist to be followed during development with variety of examples.
Content Security Policy : It instructs the browser about “safe” sources apart from which no script should be executed from any origin.