An Outline on Cross-Site Scripting Attacks

An Outline on Cross-Site Scripting Attacks

Cross-site scripting (XSS) is one of the most critical and most common vulnerability connected to web applications. Most known websites have this vulnerability, including Facebook, Google, Paypal, Amazon and a lot others. If you have a look at the bug bounty program, you will realize that most issues that are reported belong to XSS. Browsers prevent cross-site scripting with the help of their own filters, but these filters can always be sidestepped by security researchers. This vulnerability is normally used to execute spreading malware, cookie stealing, malicious redirection and session hijacking. Through this attack, malicious JavaScript code is injected into websites so that a script is executed by the browser which allows the attacker to command and perform actions in the script. The vulnerability is not difficult to find but is hard to patch. This is why it can be found in almost all websites.

In this article, we will discuss what cross-site scripting attack is and its types.

What Is Cross-Site Scripting Attack

Cross-site scripting attack is done on web applications in which malicious scripts are injected on trusted websites by attackers, in order to perform malicious actions. In this, malicious code is injected in the browser, which affects users. Another name cross-site scripting is XSS attack. It is known as ‘XSS’ and not ‘CSS’ because in web designing we have a cascading style sheet (CSS), so, in order to avoid any confusion cross-site scripting is called ‘XSS’.

This attack takes place when web applications perform a script that is supplied to the end user by an attacker. The weakness can be found anyplace in an application, where user input has not been properly encoded. Without the input being properly encoded and sanitized, users will receive these injected malicious scripts. A browser will have no way of knowing that it should not trust a script. When a script is executed by the browser, there is a malicious action performed on the client’s side. Usually, XSS is used to steal session tokens and cookies of a valid user to execute session hijacking.

Types of Cross-site Scripting Attack

Following are the three types in which most of the experts categorize XSS persistent XSS, non-persistent XSS and DOM-based XSS.

Persistent cross-site scripting attack

This is also known as stored cross-site scripting. This takes place when XSS vectors are gathered in the website database and it becomes functional when a page is opened by the user. Any time the user opens the browser, the script becomes functional.

Non-Persistent Cross-site scripting attack

Non-persistent XSS is also called reflected cross-site vulnerability. This is the most common kind of XSS. In this attack, the attacker injects data which gets reflected in response.

DOM-based cross-site scripting attack

DOM-based XSS is also known as “type-0 XSS”. This takes place when the XSS vector executes on a website, as a result of DOM modification.

Cross-site scripting is one of the most crucial website vulnerabilities, as it can be used in different ways to harm website users. In order to make a hard-to-crack XSS filter, one should study most of the accessible XSS vectors. Analyzing them and coding the functions to understand the attack pattern is the way to block the attack.

Reasons for the Occurrence of Cross-Site Scripting

The main reason for cross-site scripting attacks is that developers think that users will never act irresponsibly or perform an action which is wrong. Because of this reason, developers create applications without making any extra efforts to filter user input, which blocks malicious activities. Another important reason is that this attack has lot of variants. At times, even if an application tries to filter malicious scripts, it gets confused and permits the script. Thus, we can see distinct XSS vectors, which are capable of avoiding most of the available XSS filters.

How to Build a Good XSS Filter, Which Blocks Most XSS Vectors

Even though we can never have a perfect XSS filter, we can try and make a filter, which filters popular XSS vectors easily.

Following are some basic filters that can be created:

A simple rule to follow is that every datum given by a user should be encoded. If data is not provided by a user and is supplied through GET parameter, these data can be encoded too. XSS vectors can be present even in a POST form. So, each time you use a variable value on a website, try checking for XSS.

    Following data should be properly sanitized prior to being used on your website.

  • The URL
  • GET parameters from a form
  • HTTP referrer objects
  • Window.location
  • POST parameters from a form
  • document.location
  • Document.referrer
  • document.URLUnencoded
  • document.URL
  • headers data
  • cookie data
  • database data, if not properly validated on user input
    Firstly, encode all <, >, ‘ and “. This must be the primary step of your XSS filter. Encoding is mentioned below:

  • & –> &
  • < –> <
  • > –> >
  • ” –> "
  • ‘ –> '
  • / –> /

For this, you can use the htmlspecialchars() function in PHP, as it encodes all HTML tags and special characters.

1 $input = htmlspecialchars($input, ENT_QUOTES);

If the $input was= “>(script)alert(1)(/script)

This function would turn it into "><script>prompt(1)</script>

This line will also help if an encoded value is used anywhere after being decoded.

$input = str_replace(array(‘&’,’<’,’>’), array(‘&amp;’,’&lt;’,’&gt;’), $input);

HTML characters may be used by a vector, so these should also be filtered. Following rule should be added:

$input= preg_replace(‘/(&#*w+)[x00-x20]+;/u’, ‘$1;’, $data);
$data = preg_replace(‘/(&#x*[0-9A-F]+);*/iu’, ‘$1;’, $input);

But, along with these you also need to think of other possibilities and add other things, which makes the filter stronger.

Let us know what you think